CVE-2015-8859
Information Leakage vulnerability in send (npm)
What is CVE-2015-8859 About?
Versions of the `send` package prior to 0.11.2 are vulnerable to information leakage, allowing an attacker to enumerate paths on the server filesystem. This can expose sensitive directory structures and file locations. Exploiting this vulnerability would likely involve crafted requests and is relatively straightforward given the nature of the flaw.
Affected Software
Technical Details
The send package, in versions prior to 0.11.2, suffers from an information leakage vulnerability. This flaw typically arises from improper handling of directory traversal sequences or malformed file paths in HTTP requests. When send is used to serve static files, an attacker can craft a specific URL (e.g., using '..' or other path manipulation techniques) that causes the server to resolve paths outside of the intended web root or base directory. Instead of returning a 404 error or sanitizing the path, the vulnerable send implementation reveals whether a specific path or directory exists on the server's filesystem. While it might not directly expose file contents, successful exploitation allows an attacker to map out the server's directory structure, inferring the presence of sensitive files or configurations, which can aid in further attacks.
What is the Impact of CVE-2015-8859?
Successful exploitation may allow attackers to discover the internal file and directory structure of the server, providing valuable reconnaissance for further targeted attacks.
What is the Exploitability of CVE-2015-8859?
Exploitation of this vulnerability involves sending specially crafted HTTP requests to a server serving static files via the vulnerable send package. This is a relatively low-complexity attack, typically involving standard web reconnaissance techniques and path manipulation. No authentication or specific privileges are required, as the vulnerability affects how public-facing file requests are handled. The attack is remote, as it can be initiated over HTTP from any location. The primary risk factor is the deployment of web applications using vulnerable versions of send without sufficient input validation or path sanitization, which can make it easy for an attacker to probe the filesystem.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-8859?
Available Upgrade Options
- send
- <0.11.1 → Upgrade to 0.11.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2015-8859
- http://www.securityfocus.com/bid/96435
- https://osv.dev/vulnerability/GHSA-jgqf-hwc5-hh37
- https://nodesecurity.io/advisories/56
- https://github.com/pillarjs/send/commit/98a5b89982b38e79db684177cf94730ce7fc7aed
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://github.com/pillarjs/send
- https://github.com/pillarjs/send/pull/70
- https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20
- http://www.openwall.com/lists/oss-security/2016/04/20/11
What are Similar Vulnerabilities to CVE-2015-8859?
Similar Vulnerabilities: CVE-2021-23382 , CVE-2020-28476 , CVE-2018-1000136 , CVE-2018-1000164 , CVE-2020-7769
