CVE-2015-1164

serve-static <1.7.2 - Open Redirect

Title source: llm

Description

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.

Exploits (1)

github WRITEUP 21 stars

by BlackFan · poc

https://github.com/BlackFan/CVE_PoCs/tree/master/CVE-2015-1164 (ExpressJS)

View Code ZIP pw:eip

References (5)

[Various Sources] http://nodesecurity.io/advisories/serve-static-open-redirect

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72064

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1181917

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/99936

[Issue Tracking] https://github.com/expressjs/serve-static/issues/26

Scores

EPSS 0.0030

EPSS Percentile 53.0%

Classification

Status draft

Affected Products (2)

serve-static_project/serve-static < 1.7.1

npm/serve-static < 1.7.2npm

Timeline

Published Jan 21, 2015

Tracked Since Feb 18, 2026