Wiz
Vulnerability DatabaseCVE-2022-25847

CVE-2022-25847
JavaScript vulnerability analysis and mitigation

Overview

CVE-2022-25847 affects serve-lite package versions before 1.1.2. The vulnerability was discovered by Liran Tal and disclosed on November 28, 2022. This Cross-site Scripting (XSS) vulnerability affects the package's directory listing functionality (Snyk).

Technical details

The vulnerability exists because when serve-lite detects a request to a directory, it renders a file listing of all its contents with links that include the actual file names without any sanitization or output encoding. The issue is specifically in the server.js file where file names are directly written to the response without proper sanitization (GitHub Gist). The vulnerability has been assigned a CVSS score of 5.4 (medium) by Snyk (Snyk).

Impact

If exploited, this XSS vulnerability could allow attackers to execute malicious JavaScript code in users' browsers when they view directory listings. However, the impact is considered limited due to the package having virtually zero downloads at the time of discovery (GitHub Gist).

Mitigation and workarounds

The vulnerability has been fixed in serve-lite version 1.1.2. Users should upgrade to this version or higher to mitigate the risk. The fix was implemented in commit f7a0062 of the serve-lite repository (GitHub Gist).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-66456CRITICAL9.1
  • JavaScriptJavaScript
  • elysia
NoYesDec 09, 2025
CVE-2025-66457HIGH7.5
  • JavaScriptJavaScript
  • elysia
NoYesDec 09, 2025
CVE-2025-65849MEDIUM6.9
  • JavaScriptJavaScript
  • altcha
NoNoDec 08, 2025
CVE-2025-66202MEDIUM6.5
  • JavaScriptJavaScript
  • astro
NoYesDec 09, 2025
CVE-2025-14284MEDIUM5.1
  • JavaScriptJavaScript
  • @tiptap/extension-link
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo