CVE-2023-26111
📋 TL;DR
This vulnerability allows attackers to perform directory traversal attacks on web servers using @nubosoftware/node-static or node-static packages. By manipulating URL paths, attackers can access files outside the intended web root directory. All users of these packages are affected regardless of version.
💻 Affected Systems
- @nubosoftware/node-static
- node-static
📦 What is this software?
\@nubosoftware\/node Static by \@nubosoftware\/node Static Project
Node Static by Node Static Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server file system disclosure including sensitive configuration files, credentials, and source code, potentially leading to full system compromise.
Likely Case
Unauthorized access to sensitive files in adjacent directories, potentially exposing application secrets, configuration data, or user information.
If Mitigated
Limited impact with proper file system permissions and web server sandboxing, but still exposes files within the application's access scope.
🎯 Exploit Status
Exploitation requires only HTTP requests with crafted paths. Public proof-of-concept demonstrates simple traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None
Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
Restart Required: Yes
Instructions:
1. Remove vulnerable packages. 2. Migrate to alternative static file serving solutions like Express static middleware, serve-static, or nginx. 3. Update package.json to remove dependencies. 4. Restart application.
🔧 Temporary Workarounds
Input validation middleware
allAdd request filtering to block directory traversal patterns before reaching the static file handler
// Express.js example: app.use((req, res, next) => { if (req.path.includes('..')) return res.status(400).send('Invalid request'); next(); })
Reverse proxy with path sanitization
linuxPlace nginx or Apache in front to sanitize URLs before they reach the vulnerable application
# nginx location block: location /static/ { if ($request_uri ~* "\.\.") { return 403; } proxy_pass http://localhost:3000; }
🧯 If You Can't Patch
- Implement strict file system permissions to limit the application's access to only necessary directories
- Deploy web application firewall (WAF) rules to block directory traversal patterns in URLs
🔍 How to Verify
Check if Vulnerable:
Check package.json for '@nubosoftware/node-static' or 'node-static' dependencies, or run: npm list node-static @nubosoftware/node-staticCheck Version:
npm list node-static @nubosoftware/node-staticVerify Fix Applied:
Confirm packages are removed from package.json and node_modules, then test with traversal attempts like /../../etc/passwd📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '..' sequences in URLs
- Unusual file access patterns outside web root
- 403/404 errors for traversal attempts if blocked
Network Indicators:
- HTTP requests with encoded directory traversal sequences (%2e%2e%2f)
- Multiple sequential requests probing for sensitive files
SIEM Query:
source="web_logs" AND (url="*..*" OR url="*%2e%2e%2f*")🔗 References
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927
