Miggo Logo
Miggo Vulnerability Database
CVE-2022-21192

CVE-2022-21192: Directory Traversal vulnerability in serve-lite

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-21192
GHSA ID
GHSA-5qq4-m6c3-xxmf
EPSS Score
0.77215%
CWE
CWE-22
Published
1/26/2023
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
serve-litenpm<= 1.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the code shown in server.js lines 111-114 (as referenced in the PoC), where req.url is decoded and passed to path.join() without proper sanitization. The path.join() operation with user-controlled input enables directory traversal when combined with Node.js path resolution behavior. The proof of concept demonstrates this by accessing ../../package.json, confirming the lack of path containment checks. The primary vulnerable code path is the GET request handler that processes URLs and resolves file paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** s*rv*-lit* *r* vuln*r**l* to *ir**tory Tr*v*rs*l *u* to missin* input s*nitiz*tion or ot**r ****ks *n* prot**tions *mploy** to t** r*q.url p*ss** *s-is to p*t*.join().

Reasoning

T** vuln*r**ility st*ms *rom t** *o** s*own in s*rv*r.js lin*s ***-*** (*s r***r*n*** in t** Po*), w**r* r*q.url is ***o*** *n* p*ss** to p*t*.join() wit*out prop*r s*nitiz*tion. T** p*t*.join() op*r*tion wit* us*r-*ontroll** input *n**l*s *ir**tory