CVE-2022-25848 — static-dev-server vulnerable to path traversal

Description

A path traversal vulnerability affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. There is currently no known workaround or fix for this issue.

How to fix CVE-2022-25848

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-25848 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25848
PATCHgithub.com/etoah/static-dev-server
WEBgist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd
WEBsecurity.snyk.io/vuln/SNYK-JS-STATICDEVSERVER-3149917