{ "schema_version": "1.4.0", "id": "GHSA-886v-mm6p-4m66", "modified": "2021-09-07T15:24:35Z", "published": "2019-06-05T09:48:02Z", "aliases": [], "summary": "High severity vulnerability that affects gun", "details": "## Urgent Upgrade\n\nThe static file server module included with GUN had a **serious vulnerability**:\n\n - Using `curl --path-as-is` allowed reads on any parent directory or files.\n\nThis did not work via the browser or via curl without as-is option.\n\n ### Fixed\n\nThis has been fixed since version `0.2019.416` and higher.\n\n ### Who Was Effected?\n\nMost NodeJS users who use the default setup, such as:\n\n - `npm start`\n - `node examples/http.js`\n - `Heroku` 1-click-deploy\n - `Docker`\n - `Now`\n\nIf you have a custom NodeJS code then you are probably safe *unless* you have something like `require('http').createServer(Gun.serve(__dirname))` in it.\n\nIf you have not upgraded, it is **mandatory** or else it is highly likely your environment variables and AWS (or other) keys could be leaked.\n\n ### Credit\n\nIt was reported and fixed by [JK0N](https://github.com/amark/gun/pull/527), but I did not understand the `--path-as-is` condition.\n\nJoonas Loppi from [function61](http://function61.com) rediscovered it and explained the urgency to me to fix it.\n", "severity": [], "affected": [ { "package": { "ecosystem": "npm", "name": "gun" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.2019.416" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/amark/gun/security/advisories/GHSA-886v-mm6p-4m66" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-886v-mm6p-4m66" }, { "type": "PACKAGE", "url": "https://github.com/amark/gun" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:24:52Z", "nvd_published_at": null } }