CVE-2023-26152 – CVE-2023-26152 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2023-26152?

CVE-2023-26152 has a CVSS score of 7.5 (HIGH). CVE-2023-26152 is a directory traversal vulnerability in the static-server npm package that allows attackers to read arbitrary files outside the intended web root directory. This affects all versions of static-server that use the vulnerable validPath function. Anyone using static-server to serve static files is potentially vulnerable.

📋 TL;DR

CVE-2023-26152 is a directory traversal vulnerability in the static-server npm package that allows attackers to read arbitrary files outside the intended web root directory. This affects all versions of static-server that use the vulnerable validPath function. Anyone using static-server to serve static files is potentially vulnerable.

💻 Affected Systems

Products:

static-server npm package

Versions: All versions before patching

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration when using the package's built-in path validation.

📦 What is this software?

Static Server by Nbluis

View all CVEs affecting Static Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files like /etc/passwd, SSH keys, configuration files, or application source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized access to sensitive files within the application directory or adjacent directories, potentially exposing credentials, configuration data, or proprietary code.

🟢

If Mitigated

Limited to accessing only files within the intended web root directory with proper input validation and path sanitization.

🌐 Internet-Facing: HIGH - Directory traversal vulnerabilities in web servers are easily exploitable from the internet with simple HTTP requests.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but the attack surface is smaller than internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests with directory traversal sequences like '../' in URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check for updates in the static-server repository as no specific patched version is documented in the CVE

Vendor Advisory: https://github.com/nbluis/static-server/security/advisories

Restart Required: Yes

Instructions:

1. Check current static-server version
2. Update to latest version via npm update static-server
3. Restart the static-server application

🔧 Temporary Workarounds

Input Validation Middleware

all

Add custom middleware to sanitize and validate all incoming request paths before processing

// Example Express middleware
app.use((req, res, next) => {
  const path = req.path;
  if (path.includes('..') || path.includes('~')) {
    return res.status(400).send('Invalid path');
  }
  next();
})

Web Application Firewall

all

Configure WAF rules to block directory traversal patterns

# Example mod_security rule
SecRule REQUEST_URI "@contains .." "id:1001,phase:1,deny,status:400"

🧯 If You Can't Patch

Implement strict file system permissions to limit what files the static-server process can access
Run static-server in a containerized environment with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Test by requesting a file with directory traversal sequences like http://server/../../etc/passwd and checking if it returns sensitive content

Check Version:

npm list static-server

Verify Fix Applied:

After patching, repeat the directory traversal test to confirm it returns 400/404 error instead of file contents

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' or '..\' sequences
Unusual file access patterns outside normal web root

Network Indicators:

HTTP requests with multiple directory traversal sequences in URL paths

SIEM Query:

http.url:*..* AND (http.status:200 OR http.status:206)

📊 Metadata

CVE ID: CVE-2023-26152

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: October 3, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/lirantal/1f7021703a2065ecaf9ec9e06a3a346d Exploit,Third Party Advisory
https://github.com/nbluis/static-server/blob/master/server.js%23L218-L223 Product
https://security.snyk.io/vuln/SNYK-JS-STATICSERVER-5722341 Exploit,Third Party Advisory
https://gist.github.com/lirantal/1f7021703a2065ecaf9ec9e06a3a346d Exploit,Third Party Advisory
https://github.com/nbluis/static-server/blob/master/server.js%23L218-L223 Product
https://security.snyk.io/vuln/SNYK-JS-STATICSERVER-5722341 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26152, you might also want to check these: