CVE-2015-1164 — Open Redirect in Node-serve-static

CWE-601 — Open Redirect CWE-617 — Reachable Assertion10 documents7 sources

Severity

4.3MEDIUMNVD

OSV2.6

EPSS

0.3%

top 46.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openldap Debian Node-serve-static Serve-static Project Serve-static

Timeline

PublishedJan 21

Latest updateAug 17

Description

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/node-serve-static< node-serve-static 1.6.4-2 (bookworm)

▶npmserve-static_project/serve-static1.7.0 — 1.7.2+1

▶NVDserve-static_project/serve-static1.7.1

▶Ubuntuopenldap/openldap< 2.4.31-1+nmu2ubuntu8.1

🔴Vulnerability Details

OSV

Open Redirect in serve-static↗2020-08-31

▶

GHSA

Open Redirect in serve-static↗2020-08-31

▶

OSV

openldap vulnerabilities↗2015-05-26

▶

OSV

CVE-2015-1164: Open redirect vulnerability in the serve-static plugin before 1↗2015-01-21

▶

📋Vendor Advisories

Red Hat

kernel: net/mlx5: Fix missing lock on sync reset reload↗2024-08-17

▶

Debian

CVE-2015-1164: node-serve-static - Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js,...↗2015

▶

💬Community

HackerOne

Open redirect in fastify-static via mishandled user's input when attempt to redirect↗2021-10-11

▶

Bugzilla

persona.org vulnerable to Open redirect vulnerability↗2015-09-25

▶

Bugzilla

CVE-2015-1164 nodejs-serve-static: Open Redirect↗2015-01-14

▶