This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A directory traversal flaw in the `st` module for Node.js. π **Consequences**: Attackers can read **arbitrary files** on the server by manipulating file paths.β¦
π‘οΈ **Root Cause**: Improper handling of encoded path sequences. Specifically, the module fails to sanitize `%2e%2e` (URL-encoded `..`). This allows attackers to escape the intended directory root.β¦
π¦ **Affected Component**: Joyent Node.js `st` module. π **Version**: Versions **before 0.2.5**. If you are running an older version of this static file server module, you are at risk.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Remote attackers can **read sensitive files** (e.g., config files, source code, credentials). π **Data Impact**: Full file disclosure within the server's accessible filesystem.β¦
π **Exploitation Threshold**: **LOW**. No authentication required. π **Config**: Works remotely via HTTP requests. The attacker simply needs to send a crafted URL with encoded traversal characters (`%2e%2e`).
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploit**: **YES**. Proof of Concept (PoC) is available. π **Source**: Nuclei templates and security advisories (NodeSecurity.io) confirm the exploitability via `%2e%2e` in paths.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the `st` module version. π§ͺ **Test**: Send requests with `%2e%2e/` in the URL path.β¦
π οΈ **Official Fix**: **YES**. Upgrade the `st` module to version **0.2.5 or later**. The vendor (Joyent/Isaac) released a patch to fix the path traversal logic.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: If you cannot upgrade immediately, implement a **WAF rule** to block `%2e%2e` or `..` in URL paths.β¦
π₯ **Urgency**: **HIGH**. Since it allows arbitrary file read without auth, it is easily exploitable. π **Priority**: Patch immediately. Update `st` module to v0.2.5+ to prevent data leakage.