CVE-2014-6394 — Directory Traversal in send

Description

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

How to fix CVE-2014-6394

To remediate CVE-2014-6394, upgrade the affected package to a fixed version below.

Debian/node-send—upgrade to 0.9.4-1 or later
npm/send—upgrade to 0.8.4 or later

Is CVE-2014-6394 being exploited?

Low — EPSS is 4.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.9.4-1
from 0, < 0.8.4

References (19)

ADVISORYgithub.com/advisories/GHSA-xwg4-93c6-3h42
ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-6394
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-6394
PATCHgithub.com/visionmedia/send
WEB