Versions of crud-file-server prior to 0.9.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Recommendation

Upgrade to version 0.9.0 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-3733
• https://hackerone.com/reports/310690
• GHSA-vfp9-gwrh-wq9g
• https://www.npmjs.com/advisories/1003
• omphalos/crud-file-server@4fc3b40