CVE-2017-14849

HIGH NUCLEI

Node.js <8.6.0 - Directory Traversal

Title source: nuclei

Description

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.

Nuclei Templates (1)

Node.js <8.6.0 - Directory Traversal

HIGHby Random_Robbie

Shodan: cpe:"cpe:2.3:a:nodejs:node.js"

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101056

[Patch, Vendor Advisory] https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/

[Patch, Third Party Advisory] https://twitter.com/nodejs/status/913131152868876288

Scores

CVSS v3 7.5

EPSS 0.9023

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-22

Status draft

Affected Products (1)

nodejs/node.js

Timeline

Published Sep 28, 2017

Tracked Since Feb 18, 2026