Version Details and Security Vulnerabilities

📦

serve-static

1.0.1

Comparision Betweeen 1.0.1 and 1.0.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.0.1 Details

Serve-static is a simple yet powerful Node.js middleware designed to effortlessly serve static files to web browsers. These two versions, 1.0.0 and 1.0.1, are incredibly similar, sharing identical dependencies like "send" for efficient file delivery and development dependencies catering to mocha, should, connect, and supertest for testing. Both versions are licensed under the permissive MIT license, emphasizing their open-source nature, and are maintained within the Express.js ecosystem, ensuring quality and community support. The author remains consistent across versions, with Douglas Christopher Wilson spearheading development.

The core functionality remains the same: enabling developers to quickly serve static assets like HTML, CSS, JavaScript, images, and other files from a specified directory, streamlining web application development. The only noticeable difference between the versions lies in their release dates. Version 1.0.1 was published on March 6, 2014, at 03:26:54.332Z, a mere 17 minutes after version 1.0.0, released at 03:09:32.347Z on the same day. This very minor discrepancy likely indicates a bug fix, an insignificant documentation update, or some internal improvement that did not warrant a larger version bump. Therefore, the upgrade is likely nonessential for most users. Developers integrating serve-static into their projects can confidently utilize either version, expecting similar performance and behavior. The package's lightweight nature and straightforward usage make it an excellent choice for serving static content in Express.js and other Node.js-based web applications.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

serve-static

1.0.1

Comparision Betweeen 1.0.1 and 1.0.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.0.1 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.0.1 of the package serve-static.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.0.1 of the package

Summary:

Open Redirect in serve-static

Details:

Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.

Proof of Concept

A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e

Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.

Recommendation

Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.

Details about serve-static@1.0.1

Summary:

serve-static vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about serve-static@1.0.1

Summary:

Directory Traversal in send

Details:

Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

Details about send@0.1.4

Summary:

Root Path Disclosure in send

Details:

Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.

Recommendation

Update to version 0.11.1 or later.

Details about send@0.1.4

Summary:

send vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about send@0.1.4

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.2.11

Summary:

Regular Expression Denial of Service in fresh

Details:

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

Details about fresh@0.2.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.0.1 of the package serve-static.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.0.1 of the package

Summary:

Open Redirect in serve-static

Details:

Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.

Proof of Concept

A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e

Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.

Recommendation

Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.

Details about serve-static@1.0.1

Summary:

serve-static vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code

Patches

this issue is patched in serve-static 1.16.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about serve-static@1.0.1

Summary:

Directory Traversal in send

Details:

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

Details about send@0.1.4

Summary:

Root Path Disclosure in send

Details:

Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.

Recommendation

Update to version 0.11.1 or later.

Details about send@0.1.4

Summary:

send vulnerable to template injection that can lead to XSS

Details:

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Details about send@0.1.4

Summary:

mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input

Details:

Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Recommendation

Update to version 2.0.3 or later.

Details about mime@1.2.11

Summary:

Regular Expression Denial of Service in fresh

Details:

Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.

Recommendation

Update to version 0.5.2 or later.

Details about fresh@0.2.0

Version Details and Security Vulnerabilities

serve-static

Comparision Betweeen 1.0.1 and 1.0.0

Version 1.0.1 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

serve-static

Comparision Betweeen 1.0.1 and 1.0.0

Version 1.0.1 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

serve-static@1.0.1 GHSA-c3x7-gjmx-r2ff 3.1

Proof of Concept

Recommendation

serve-static@1.0.1 GHSA-cm22-4g7w-348p 2.3

Impact

Patches

Workarounds

Details

send@0.1.4 GHSA-xwg4-93c6-3h42 N/A

Recommendation

send@0.1.4 GHSA-jgqf-hwc5-hh37 5.3

Recommendation

send@0.1.4 GHSA-m6fv-jmcg-4jfg 2.3

Impact

Patches

Workarounds

Details

mime@1.2.11 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

fresh@0.2.0 GHSA-9qj9-36jm-prpv 7.5

Recommendation

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

serve-static@1.0.1 GHSA-c3x7-gjmx-r2ff 3.1

Proof of Concept

Recommendation

serve-static@1.0.1 GHSA-cm22-4g7w-348p 2.3

Impact

Patches

Workarounds

Details

send@0.1.4 GHSA-xwg4-93c6-3h42 N/A

Recommendation

send@0.1.4 GHSA-jgqf-hwc5-hh37 5.3

Recommendation

send@0.1.4 GHSA-m6fv-jmcg-4jfg 2.3

Impact

Patches

Workarounds

Details

mime@1.2.11 GHSA-wrvr-8mpx-r7pp 7.5

Recommendation

fresh@0.2.0 GHSA-9qj9-36jm-prpv 7.5

Recommendation