The 'send' package, a Node.js module designed for efficient static file serving with advanced features, saw a minor revision with the release of version 0.1.3, succeeding version 0.1.2. Both versions are intended to provide "Better streaming static file server with Range and conditional-GET support", useful to serve static files. Examining the package metadata, the core functionality and declared dependencies remain unchanged between the two versions. Key dependencies like "mime" for content type detection, "debug" for logging, "fresh" for HTTP cache freshness, and "range-parser" for handling byte range requests, persist in both releases. Development dependencies, including testing frameworks "mocha" and "should", along with "connect" and "supertest" for integration testing, also remain consistent.
The primary difference lies in the release date, with version 0.1.3 published on July 8, 2013, approximately five days after version 0.1.2, released on July 3, 2013. The difference in release dates suggests that version 0.1.3 likely contains bug fixes, performance improvements, or minor adjustments not significant enough to warrant a major or minor version bump. The core API and usage patterns are probably nearly identical between the two versions. Developers already utilizing version 0.1.2 can upgrade to 0.1.3 with minimal disruption. Those starting new projects can safely use either version, but 0.1.3 is the more recent and recommended choice.
All the vulnerabilities related to the version 0.1.3 of the package
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
