cvelistv5 - CVE-2022-25848

CVE-2022-25848 (GCVE-0-2022-25848)

Vulnerability from cvelistv5 – Published: 2022-11-29 16:50 – Updated: 2025-04-24 17:53

Summary

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Directory Traversal

Assigner

snyk

References

URL

Tags

	https://security.snyk.io/vuln/SNYK-JS-STATICDEVSE…
	https://gist.github.com/lirantal/5550bcd0bdf92c1b…

Impacted products

	Vendor	Product	Version
	n/a	static-dev-server	Affected: 0 , < unspecified (custom)

Credits

Liran Tal

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:49:44.109Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-25848",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T17:52:10.585842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T17:53:10.185Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "static-dev-server",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Liran Tal"
        }
      ],
      "datePublic": "2022-11-29T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Directory Traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-29T00:00:00.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
        },
        {
          "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
        }
      ],
      "title": "Directory Traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2022-25848",
    "datePublished": "2022-11-29T16:50:11.226Z",
    "dateReserved": "2022-02-24T00:00:00.000Z",
    "dateUpdated": "2025-04-24T17:53:10.185Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:static-dev-server_project:static-dev-server:1.0.0:*:*:*:*:node.js:*:*\", \"matchCriteriaId\": \"55B95FC2-FADB-47C7-996A-8F4A682E9544\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory.\"}, {\"lang\": \"es\", \"value\": \"Esto afecta a todas las versiones del paquete static-dev-server. Esto se debe a que cuando se unen las rutas de los usuarios al directorio ra\\u00edz, los activos de la ruta a la que se accede son relativos a los del directorio ra\\u00edz.\"}]",
      "id": "CVE-2022-25848",
      "lastModified": "2024-11-21T06:53:06.573",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"report@snyk.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-11-29T17:15:11.123",
      "references": "[{\"url\": \"https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-25848\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2022-11-29T17:15:11.123\",\"lastModified\":\"2025-04-24T18:15:16.343\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory.\"},{\"lang\":\"es\",\"value\":\"Esto afecta a todas las versiones del paquete static-dev-server. Esto se debe a que cuando se unen las rutas de los usuarios al directorio ra\u00edz, los activos de la ruta a la que se accede son relativos a los del directorio ra\u00edz.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"report@snyk.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:static-dev-server_project:static-dev-server:1.0.0:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"55B95FC2-FADB-47C7-996A-8F4A682E9544\"}]}]}],\"references\":[{\"url\":\"https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:49:44.109Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-25848\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T17:52:10.585842Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T17:52:14.592Z\"}}], \"cna\": {\"title\": \"Directory Traversal\", \"credits\": [{\"lang\": \"en\", \"value\": \"Liran Tal\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"static-dev-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"unspecified\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2022-11-29T00:00:00.000Z\", \"references\": [{\"url\": \"https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917\"}, {\"url\": \"https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Directory Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"shortName\": \"snyk\", \"dateUpdated\": \"2022-11-29T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-25848\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T17:53:10.185Z\", \"dateReserved\": \"2022-02-24T00:00:00.000Z\", \"assignerOrgId\": \"bae035ff-b466-4ff4-94d0-fc9efd9e1730\", \"datePublished\": \"2022-11-29T16:50:11.226Z\", \"assignerShortName\": \"snyk\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2022-85490

Vulnerability from cnvd - Published: 2022-11-29

Title

static-dev-server目录遍历漏洞

Description

static-dev-server是一个简单的http服务器，用于从本地目录提供静态资源文件，并在文件更改时自动重新加载。 npm static-dev-server所有版本存在目录遍历漏洞，该漏洞源于在处理目录请求时的路径缺乏有效性检查，攻击者可利用该漏洞通过特别设计的web请求从底层文件系统中检索任意文件。

Severity

高

Patch Name

static-dev-server目录遍历漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/etoah/static-dev-server

Reference

https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917

Impacted products

Name
npm static-dev-server null

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-25848",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-25848"
    }
  },
  "description": "static-dev-server\u662f\u4e00\u4e2a\u7b80\u5355\u7684http\u670d\u52a1\u5668\uff0c\u7528\u4e8e\u4ece\u672c\u5730\u76ee\u5f55\u63d0\u4f9b\u9759\u6001\u8d44\u6e90\u6587\u4ef6\uff0c\u5e76\u5728\u6587\u4ef6\u66f4\u6539\u65f6\u81ea\u52a8\u91cd\u65b0\u52a0\u8f7d\u3002\n\nnpm static-dev-server\u6240\u6709\u7248\u672c\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5904\u7406\u76ee\u5f55\u8bf7\u6c42\u65f6\u7684\u8def\u5f84\u7f3a\u4e4f\u6709\u6548\u6027\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u522b\u8bbe\u8ba1\u7684web\u8bf7\u6c42\u4ece\u5e95\u5c42\u6587\u4ef6\u7cfb\u7edf\u4e2d\u68c0\u7d22\u4efb\u610f\u6587\u4ef6\u3002",
  "discovererName": "\u5229\u5170\u5854\u5c14",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/etoah/static-dev-server",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-85490",
  "openTime": "2022-11-29",
  "patchDescription": "static-dev-server\u662f\u4e00\u4e2a\u7b80\u5355\u7684http\u670d\u52a1\u5668\uff0c\u7528\u4e8e\u4ece\u672c\u5730\u76ee\u5f55\u63d0\u4f9b\u9759\u6001\u8d44\u6e90\u6587\u4ef6\uff0c\u5e76\u5728\u6587\u4ef6\u66f4\u6539\u65f6\u81ea\u52a8\u91cd\u65b0\u52a0\u8f7d\u3002\r\n\r\nnpm static-dev-server\u6240\u6709\u7248\u672c\u5b58\u5728\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5904\u7406\u76ee\u5f55\u8bf7\u6c42\u65f6\u7684\u8def\u5f84\u7f3a\u4e4f\u6709\u6548\u6027\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7279\u522b\u8bbe\u8ba1\u7684web\u8bf7\u6c42\u4ece\u5e95\u5c42\u6587\u4ef6\u7cfb\u7edf\u4e2d\u68c0\u7d22\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "static-dev-server\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "npm static-dev-server null"
  },
  "referenceLink": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917",
  "serverity": "\u9ad8",
  "submitTime": "2022-12-01",
  "title": "static-dev-server\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e"
}

GHSA-7FXM-C848-89Q8

Vulnerability from github – Published: 2022-11-29 18:30 – Updated: 2022-12-27 18:10

Summary

static-dev-server vulnerable to path traversal

Details

A path traversal vulnerability affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. There is currently no known workaround or fix for this issue.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "static-dev-server"
      },
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-02T22:21:45Z",
    "nvd_published_at": "2022-11-29T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. There is currently no known workaround or fix for this issue.",
  "id": "GHSA-7fxm-c848-89q8",
  "modified": "2022-12-27T18:10:37Z",
  "published": "2022-11-29T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25848"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/etoah/static-dev-server"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "static-dev-server vulnerable to path traversal"
}

FKIE_CVE-2022-25848

Vulnerability from fkie_nvd - Published: 2022-11-29 17:15 - Updated: 2025-04-24 18:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
report@snyk.io	https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd	Exploit, Third Party Advisory
report@snyk.io	https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	static-dev-server_project	static-dev-server	1.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:static-dev-server_project:static-dev-server:1.0.0:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "55B95FC2-FADB-47C7-996A-8F4A682E9544",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory."
    },
    {
      "lang": "es",
      "value": "Esto afecta a todas las versiones del paquete static-dev-server. Esto se debe a que cuando se unen las rutas de los usuarios al directorio ra\u00edz, los activos de la ruta a la que se accede son relativos a los del directorio ra\u00edz."
    }
  ],
  "id": "CVE-2022-25848",
  "lastModified": "2025-04-24T18:15:16.343",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "report@snyk.io",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-29T17:15:11.123",
  "references": [
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
    },
    {
      "source": "report@snyk.io",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
    }
  ],
  "sourceIdentifier": "report@snyk.io",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

VAR-202211-1870

Vulnerability from variot - Updated: 2023-12-18 13:41

This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. static-dev-server is a simple http server for serving static resource files from a local directory and automatically reloading when the files change.

All versions of npm static-dev-server have a directory traversal vulnerability. The vulnerability stems from the lack of validity check of the path when processing directory requests. Attackers can use this vulnerability to retrieve arbitrary files from the underlying file system through specially crafted web requests

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202211-1870",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "static-dev-server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "static dev server",
        "version": "1.0.0"
      },
      {
        "model": "static-dev-server",
        "scope": null,
        "trust": 0.6,
        "vendor": "npm",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:static-dev-server_project:static-dev-server:1.0.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      }
    ]
  },
  "cve": "CVE-2022-25848",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.8,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2022-85490",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-25848",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "report@snyk.io",
            "id": "CVE-2022-25848",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2022-85490",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202211-3639",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. static-dev-server is a simple http server for serving static resource files from a local directory and automatically reloading when the files change. \n\r\n\r\nAll versions of npm static-dev-server have a directory traversal vulnerability. The vulnerability stems from the lack of validity check of the path when processing directory requests. Attackers can use this vulnerability to retrieve arbitrary files from the underlying file system through specially crafted web requests",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      }
    ],
    "trust": 1.44
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-25848",
        "trust": 2.2
      },
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ]
  },
  "id": "VAR-202211-1870",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      }
    ],
    "trust": 1.6
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:41:46.948000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Patch for static-dev-server directory traversal vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/362796"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-22",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.2,
        "url": "https://security.snyk.io/vuln/snyk-js-staticdevserver-3149917"
      },
      {
        "trust": 1.6,
        "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2022-25848/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-11-29T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "date": "2022-11-29T17:15:11.123000",
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "date": "2022-11-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-12-07T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      },
      {
        "date": "2022-12-01T20:56:52.047000",
        "db": "NVD",
        "id": "CVE-2022-25848"
      },
      {
        "date": "2022-12-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "static-dev-server directory traversal vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-85490"
      }
    ],
    "trust": 0.6
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "path traversal",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202211-3639"
      }
    ],
    "trust": 0.6
  }
}

GSD-2022-25848

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-25848

Aliases

CVE-2022-25848

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-25848",
    "description": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory.",
    "id": "GSD-2022-25848"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-25848"
      ],
      "details": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory.",
      "id": "GSD-2022-25848",
      "modified": "2023-12-13T01:19:27.416560Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "report@snyk.io",
        "DATE_PUBLIC": "2022-11-29T16:45:16.298423Z",
        "ID": "CVE-2022-25848",
        "STATE": "PUBLIC",
        "TITLE": "Directory Traversal"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "static-dev-server",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003e=",
                          "version_value": "0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Liran Tal"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Directory Traversal"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917",
            "refsource": "MISC",
            "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
          },
          {
            "name": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd",
            "refsource": "MISC",
            "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "=1.0.0",
          "affected_versions": "Version 1.0.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2022-12-01",
          "description": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory.",
          "fixed_versions": [],
          "identifier": "CVE-2022-25848",
          "identifiers": [
            "CVE-2022-25848"
          ],
          "not_impacted": "",
          "package_slug": "npm/static-dev-server",
          "pubdate": "2022-11-29",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-25848",
            "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917",
            "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
          ],
          "uuid": "8f8b9c39-2d9e-4c04-ba65-b1df59d095c9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:static-dev-server_project:static-dev-server:1.0.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2022-25848"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://security.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917"
            },
            {
              "name": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-12-01T20:56Z",
      "publishedDate": "2022-11-29T17:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-25848 (GCVE-0-2022-25848)

CNVD-2022-85490

GHSA-7FXM-C848-89Q8

FKIE_CVE-2022-25848

VAR-202211-1870

GSD-2022-25848

Tags

Sightings

Nomenclature