CVE-2021-23430 – CVE-2021-23430 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2021-23430?

CVE-2021-23430 has a CVSS score of 7.5 (HIGH). CVE-2021-23430 is a directory traversal vulnerability in the startserver npm package that allows attackers to read arbitrary files outside the intended directory. All versions of startserver are affected. This impacts any application using this package as a development server.

📋 TL;DR

CVE-2021-23430 is a directory traversal vulnerability in the startserver npm package that allows attackers to read arbitrary files outside the intended directory. All versions of startserver are affected. This impacts any application using this package as a development server.

💻 Affected Systems

Products:

startserver npm package

Versions: All versions

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using startserver as a development server. Production deployments using other servers are not affected.

📦 What is this software?

Startserver by Startserver Project

View all CVEs affecting Startserver →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files like configuration files, credentials, or source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized file disclosure of application files, configuration data, or other sensitive information accessible to the server process.

🟢

If Mitigated

Limited impact if proper file permissions restrict server process access to sensitive directories.

🌐 Internet-Facing: HIGH - If the vulnerable server is exposed to the internet, attackers can directly exploit it without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities are well-understood and easy to exploit with simple HTTP requests containing path traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - package is deprecated

Vendor Advisory: https://github.com/xudafeng/startserver/security/advisories

Restart Required: Yes

Instructions:

1. Remove startserver from your project dependencies. 2. Use an alternative development server like webpack-dev-server, vite, or express with proper security controls. 3. Update package.json and reinstall dependencies.

🔧 Temporary Workarounds

Replace with secure alternative

all

Replace startserver with a maintained development server that has proper path sanitization

npm uninstall startserver
npm install --save-dev webpack-dev-server

Implement middleware validation

all

Add middleware to validate and sanitize file paths before processing

// Add express middleware example: app.use((req, res, next) => { const path = req.path; if (path.includes('..')) { return res.status(400).send('Invalid path'); } next(); })

🧯 If You Can't Patch

Run startserver with minimal file system permissions using a dedicated low-privilege user account
Deploy behind a reverse proxy with strict path validation and WAF rules blocking directory traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check if startserver is in your package.json dependencies or run: npm list startserver

Check Version:

npm list startserver

Verify Fix Applied:

Verify startserver is no longer in package.json and test that file requests with ../ sequences return errors

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing ../ or ..\ sequences
File access errors for paths outside expected directories
Unusual file read patterns from server process

Network Indicators:

HTTP requests with encoded directory traversal sequences (%2e%2e%2f, ..%2f)
Responses containing file contents that shouldn't be accessible

SIEM Query:

source="web_server" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2021-23430

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: August 24, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/xudafeng/startserver/blob/bef0c4e4d21da42a40ce87cf25fd54ac8d8cb2d8/lib/index.js%23L71 Broken Link
https://snyk.io/vuln/SNYK-JS-STARTSERVER-1296388 Exploit,Third Party Advisory
https://github.com/xudafeng/startserver/blob/bef0c4e4d21da42a40ce87cf25fd54ac8d8cb2d8/lib/index.js%23L71 Broken Link
https://snyk.io/vuln/SNYK-JS-STARTSERVER-1296388 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23430, you might also want to check these: