MEDIUM · CVSS 5.3
CVE-2024-43800 — serve-static path confusion
A path-handling issue in serve-static could allow serving unintended files to clients that crafted specific URL encodings, especially when used behind a reverse proxy that preserved encoded slashes.
Affects
- serve-static < 1.16.0
What an attacker does
An attacker requests `/static/..%2f..%2fsecret.json`. If the reverse proxy forwards the encoded slashes intact, serve-static could resolve outside the root on legacy configurations.
How to detect
Check lockfile; serve-static is transitive under Express.
How to fix
Upgrade Express 4.20.0+.
Securie findingmedium · CVSS 5.3
CVE-2024-43800How Securie catches CVE-2024-43800
Securie flags this through the framework dep chain.
Scan my repo for CVE-2024-43800 →Securie reviews every PR · proves real issues · opens verified fix PRs