Serve-static is a lightweight and efficient npm package designed to serve static files in web applications, commonly used with Node.js frameworks like Express.js. Version 1.0.2 improves upon the earlier 1.0.1 primarily through an updated dependency on the 'send' module, which handles the actual file serving logic. 1.0.2 utilizes 'send' version 0.2.0, while 1.0.1 relies on the older 'send' version 0.1.4. This send update likely includes bug fixes, performance enhancements, and potentially new features related to file delivery, caching, or security.
For developers, the key implication is enhanced reliability and potentially improved performance in serving static assets like images, stylesheets, and JavaScript files. While the core functionality remains consistent – configuring serve-static to expose a directory of files over HTTP – the newer version benefits from the cumulative improvements in its underlying "send" dependency. Both versions conveniently offer straightforward integration with middleware-based web applications, making it easy to add static file hosting capabilities without significant overhead. Developers should upgrade to the latest version (1.0.2 in this case) to receive these under-the-hood improvements without any code changes required in most implementations. The MIT license ensures flexibility for incorporating this package into various projects.
All the vulnerabilities related to the version 1.0.2 of the package
Open Redirect in serve-static
Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.
A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e
Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.
Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.
serve-static vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code
this issue is patched in serve-static 1.16.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
Directory Traversal in send
Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.
For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
Update to version 0.8.4 or later.
Root Path Disclosure in send
Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.
Update to version 0.11.1 or later.
send vulnerable to template injection that can lead to XSS
passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code
this issue is patched in send 0.19.0
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
successful exploitation of this vector requires the following:
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in fresh
Affected versions of fresh are vulnerable to regular expression denial of service when parsing specially crafted user input.
Update to version 0.5.2 or later.
