HIGH · CVSS 7.5
CVE-2024-43799 — send directory traversal
A path-traversal bug in the `send` module — used by Express's static file server — could allow reading files outside the configured root under specific path configurations.
Affects
- send < 0.19.0
What an attacker does
The attacker requests a URL with encoded traversal sequences (`%2e%2e%2f`). Before the patch, send's path normalization allowed escaping the root on some filesystems, exposing configuration files or secrets.
How to detect
Upgrade Express; `send` is typically transitive.
How to fix
Upgrade Express 4.20.0+ which pulls send 0.19.0+.
How Securie catches it
Securie flags the transitive chain.