Skip to content

Directory Traversal in geddy

High severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm geddy (npm)

Affected versions

< 13.0.8

Patched versions

13.0.8

Description

Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors.

Proof of Concept

http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Recommendation

Update geddy to version >= 13.0.8

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.924%
(84th percentile)

Weaknesses

CVE ID

CVE-2015-5688

GHSA ID

GHSA-333x-9vgq-v2j4

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.