CVE-2020-7687

HIGH

fast-http - Path Traversal via fs.readFile in index.js

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7687. PoCs published by AikidoSec.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2020-7687, demonstrating a path traversal vulnerability in the 'fast-http' Node.js library. The PoC includes tests for both vulnerable and protected scenarios, with Docker setup for easy reproduction.

Description

This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.

Exploits (1)

github WORKING POC 6 stars

by AikidoSec · javascriptpoc

https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2020-7687

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2020-7687, demonstrating a path traversal vulnerability in the 'fast-http' Node.js library. The PoC includes tests for both vulnerable and protected scenarios, with Docker setup for easy reproduction.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: fast-http (Node.js library)

No auth needed

Prerequisites: Node.js environment · Docker (optional for containerized execution)

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-FASTHTTP-572892

Scores

CVSS v3 7.5

EPSS 0.0176

EPSS Percentile 75.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

fast-http_project/fast-http

npm/fast-http 0npm

Published Jul 25, 2020

Tracked Since Feb 18, 2026