GMS-2014-2: Static file leakage

March 21, 2014

As stated on “The NPM Blog”, “it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files.” The NPM registry relies on st, meaning that all the versions of all the npms published prior to March th may be corrupted. But there is no evidence that they have been corrupted.

References

blog.npmjs.org/post/80277229932/newly-paranoid-maintainers
github.com/isaacs/st/commit/f961d4a839a76a423b212c716776d583b8d120e9

Code Behaviors & Features

Detect and mitigate GMS-2014-2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →