Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2015-1164

UNKNOWN
Published 2015-01-21T15:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2015-1164. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

Open Redirect in serve-static

GHSA-c3x7-gjmx-r2ff

Advisory Details

Versions of `serve-static` prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory. ## Proof of Concept A link to `http://example.com//www.google.com/%2e%2e` will redirect to `//www.google.com/%2e%2e` Some browsers will interpret this as `http://www.google.com/%2e%2e`, resulting in an external redirect. ## Recommendation Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.

Affected Packages

npm serve-static
ECOSYSTEM: ≥0 <1.7.2
npm serve-static
ECOSYSTEM: ≥1.7.0 <1.7.2

CVSS Scoring

CVSS Score

2.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-1164
WEB https://github.com/expressjs/serve-static/issues/26
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1181917
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/99936
PACKAGE https://github.com/expressjs/serve-static
WEB https://snyk.io/vuln/npm:serve-static:20150113
WEB https://www.npmjs.com/advisories/35
WEB http://www.securityfocus.com/bid/72064

Advisory provided by GitHub Security Advisory Database. Published: August 31, 2020, Modified: September 23, 2021

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/99936
https://github.com/expressjs/serve-static/issues/26
https://bugzilla.redhat.com/show_bug.cgi?id=1181917
http://www.securityfocus.com/bid/72064
http://nodesecurity.io/advisories/serve-static-open-redirect

HackerOne Reports

Open redirect in fastify-static via mishandled user's input when attempt to redirect Low
drstrnegth
Fastify
Open Redirect
View Report
Published: 2015-01-21T15:00:00
Last Modified: 2024-08-06T04:33:20.662Z
Copied to clipboard!