Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-14849

CWE-22Path Traversal5 documents5 sources
Severity
7.5HIGH
EPSS
90.2%
top 0.40%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Nodejs Node.js
Timeline
PublishedSep 28
Latest updateMay 13

Description

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDnodejs/node.js8.5.0

Patches

Patch: nodejs.orgPatch: twitter.comPatch: nodejs.org

🔴Vulnerability Details

2
GHSA
GHSA-c5w2-4jcq-rvf5: Node2022-05-13
CVEList
CVE-2017-14849: Node2017-09-28

💥Exploits & PoCs

1
Nuclei
Node.js <8.6.0 - Directory Traversal

📋Vendor Advisories

1
Debian
CVE-2017-14849: nodejs - Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, b...2017
CVE-2017-14849 (HIGH CVSS 7.5) | Node.js 8.5.0 before 8.6.0 allows r | cvebase.io