MEDIUM · CVSS 5.3
CVE-2024-43800 — serve-static path confusion
A path-handling issue in serve-static could allow serving unintended files to clients that crafted specific URL encodings, especially when used behind a reverse proxy that preserved encoded slashes.
Affects
- serve-static < 1.16.0
What an attacker does
An attacker requests `/static/..%2f..%2fsecret.json`. If the reverse proxy forwards the encoded slashes intact, serve-static could resolve outside the root on legacy configurations.
How to detect
Check lockfile; serve-static is transitive under Express.
How to fix
Upgrade Express 4.20.0+.
How Securie catches it
Securie flags this through the framework dep chain.