GMS-2014-22: Directory traversal vulnerability

September 12, 2014

When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

References

github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a
github.com/visionmedia/send/pull/59

Code Behaviors & Features

Detect and mitigate GMS-2014-22 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →