Vulnerability Description
All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lite-Dev-Server Project | Lite-Dev-Server | - |
Related Weaknesses (CWE)
References
- https://gist.github.com/lirantal/0f8a48c3f5ac581ce73123abe9f7f120ExploitThird Party Advisory
- https://github.com/shadowwzw/lite-dev-server/blob/master/src/server.js%23L134Broken Link
- https://security.snyk.io/vuln/SNYK-JS-LITEDEVSERVER-3153718ExploitThird Party Advisory
- https://gist.github.com/lirantal/0f8a48c3f5ac581ce73123abe9f7f120ExploitThird Party Advisory
- https://github.com/shadowwzw/lite-dev-server/blob/master/src/server.js%23L134Broken Link
- https://security.snyk.io/vuln/SNYK-JS-LITEDEVSERVER-3153718ExploitThird Party Advisory
FAQ
What is CVE-2022-25895?
CVE-2022-25895 is a vulnerability with a CVSS score of 7.5 (HIGH). All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code...
How severe is CVE-2022-25895?
CVE-2022-25895 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25895?
Check the references section above for vendor advisories and patch information. Affected products include: Lite-Dev-Server Project Lite-Dev-Server.