All versions of superstatic are vulnerable to path traversal when used on Windows.
Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \\ to / in paths on all platforms (a known example being Node.js v9.9.0).
WS-2018-0116 - High Severity Vulnerability
Vulnerable Library - superstatic-4.0.1.tgz
A static file server for fancy apps
Library home page: https://registry.npmjs.org/superstatic/-/superstatic-4.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/superstatic/package.json
Dependency Hierarchy: - docpress-0.7.4.tgz (Root Library) - metalsmith-start-2.0.1.tgz - :x: **superstatic-4.0.1.tgz** (Vulnerable Library)
Found in HEAD commit: e8304e6335e5d45f5599a6dd9950348f734192b7
Found in base branch: master
Vulnerability Details
All versions of superstatic are vulnerable to path traversal when used on Windows. Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \\ to / in paths on all platforms (a known example being Node.js v9.9.0).
Publish Date: 2018-02-28
URL: WS-2018-0116
CVSS 3 Score Details (8.6)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/319951
Release Date: 2018-02-28
Fix Resolution (superstatic): 5.0.2
Direct dependency fix Resolution (docpress): 0.7.5
Step up your Open Source Security Game with Mend here