CVE-2016-10561 — Directory Traversal in bitty

Description

Affected versions of `bitty` are vulnerable to directory traversal via the URL path in GET requests. ## Recommendation The `bitty` package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality, such as [serve](https://www.npmjs.com/package/serve).

How to fix CVE-2016-10561

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

npm/bitty—no fix listed

Is CVE-2016-10561 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.2.10

References (3)

ADVISORYgithub.com/advisories/GHSA-f5mh-hq6h-whxv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10561
WEBwww.npmjs.com/advisories/150