-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| serve-static | npm | < 1.16.0 | 1.16.0 |
| serve-static | npm | >= 2.0.0, < 2.1.0 | 2.1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability description indicates that passing untrusted user input to redirect() could lead to code execution due to template injection. The provided patches (0c11fad159898cdc69fd9ab63269b72468ecaf6b and ce730896fddce1588111d9ef6fdf20896de5c6fa are identical in changes) modify the createRedirectDirectoryListener function in index.js. Specifically, they remove the generation of an HTML anchor (<a>) tag within the redirect message. The loc variable, derived from the URL, was used in constructing this anchor tag. The advisory mentions that even sanitized input could be problematic. The removal of this dynamic anchor tag construction directly addresses the described vulnerability vector within this function. Therefore, createRedirectDirectoryListener is identified as the vulnerable function as it contained the logic that processed potentially malicious input (loc) in a way that could lead to XSS.
Ongoing coverage of React2Shell