Send Project Send vulnerabilities

CVE-2014-6394 [LOW] CWE-22 Directory Traversal in send Directory Traversal in send Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, `static(_dirname + '/public')` would allow access to `_dirname + '/public-restricted'`. ## Recommendation Update to

CVE-2015-8859 [MEDIUM] CVE-2015-8859: The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.

CVE-2024-43799 [MEDIUM] CWE-79 CVE-2024-43799: Send is a library for streaming files from the file system as a http response. Send passes untrusted Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.