CVE-2015-1164

serve-static <1.7.2 - Open Redirect

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1164. PoCs published by BlackFan.

AI-analyzed exploit summary The repository provides a technical description of an open redirect vulnerability in Express.js's serve-static middleware. It includes specific exploit URLs demonstrating the vulnerability, which affects versions prior to 1.7.2.

Description

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.

Exploits (1)

github WRITEUP 21 stars
by BlackFan · poc
https://github.com/BlackFan/CVE_PoCs/tree/master/CVE-2015-1164 (ExpressJS)

The repository provides a technical description of an open redirect vulnerability in Express.js's serve-static middleware. It includes specific exploit URLs demonstrating the vulnerability, which affects versions prior to 1.7.2.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Express.js serve-static < 1.7.2
No auth needed
Prerequisites: A vulnerable version of Express.js serve-static
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99936
Issue Tracking x_refsource_confirm
https://github.com/expressjs/serve-static/issues/26
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1181917
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72064

Scores

EPSS 0.0030
EPSS Percentile 53.9%

Details

Status published
Products (2)
npm/serve-static 0 - 1.7.2npm
serve-static_project/serve-static < 1.7.1
Published Jan 21, 2015
Tracked Since Feb 18, 2026