CVE-2020-7687
📋 TL;DR
CVE-2020-7687 is a path traversal vulnerability in the fast-http npm package that allows attackers to read arbitrary files on the server by manipulating file paths. This affects all versions of fast-http before patching. Any application using this vulnerable package is potentially exposed.
💻 Affected Systems
- fast-http npm package
📦 What is this software?
Fast Http by Fast Http Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, or configuration files containing credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized reading of sensitive application files, configuration data, or system files that could enable further attacks.
If Mitigated
Limited impact with proper file system permissions and input validation in place, restricting access to non-sensitive areas.
🎯 Exploit Status
Exploitation requires only HTTP requests with crafted paths; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specifically versioned - package was deprecated
Vendor Advisory: https://snyk.io/vuln/SNYK-JS-FASTHTTP-572892
Restart Required: Yes
Instructions:
1. Remove fast-http package: npm uninstall fast-http
2. Use alternative secure packages like express or fastify
3. Restart application services
🔧 Temporary Workarounds
Input validation middleware
allAdd path sanitization before fast-http processes requests
// Add middleware to sanitize paths
app.use((req, res, next) => {
const path = require('path');
req.url = path.normalize(req.url).replace(/^(\/\/|\.\.\/)/, '');
next();
});
🧯 If You Can't Patch
- Implement strict file system permissions to limit accessible directories
- Deploy web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check package.json for fast-http dependency: grep -r 'fast-http' package.jsonCheck Version:
npm list fast-httpVerify Fix Applied:
Verify fast-http is removed: npm list | grep fast-http (should return empty)📡 Detection & Monitoring
Log Indicators:
- HTTP requests with ../ patterns in URLs
- Unusual file access patterns from web endpoints
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\)
- Responses containing sensitive file contents
SIEM Query:
web.url:*../* AND (response.status:200 OR response.status:404)