CVE-2023-26104: 
JavaScript vulnerability analysis and mitigation

All versions of the package lite-web-server are vulnerable to a Denial of Service (DoS) vulnerability identified as CVE-2023-26104. The vulnerability was disclosed on December 5, 2022, and published on February 24, 2023. The vulnerability affects the HTTP file server component of the lite-web-server package, which is designed to create simple web servers (Snyk, GitHub POC).

The vulnerability occurs when an attacker sends an HTTP request containing control characters that the decodeURI() function is unable to parse. The vulnerable code is located in line 274 of src/WebServer.js, where the application fails to handle an exception thrown during URL decoding: 'var _url = decodeURIComponent(req.url).slice(1)'. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (Snyk).

When successfully exploited, this vulnerability results in a total loss of availability of the web server. The attack can cause the server to crash, leading to a denial of service condition that persists until the server is manually restarted. The impact is primarily on the availability of the service, with no direct effect on confidentiality or integrity (Snyk).

Currently, there is no fixed version available for the lite-web-server package. The package has virtually zero downloads and was last published 6 months before the vulnerability disclosure, though some level of maintenance was assumed to exist at the time of discovery (Snyk, GitHub POC).