CVE-2023-26126: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26126 affects all versions of the m.static package, which is a lightweight static file server for Node.js. The vulnerability was discovered and disclosed on January 23, 2023, and was published on May 9, 2023. The package is vulnerable to Directory Traversal attacks due to improper input sanitization of the path being requested via the requestFile function (Snyk Advisory, NVD).

The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The issue stems from line 19 of index.js where the path is constructed using const requestFile = join(options.cwd, req.url) without proper input sanitization or protection mechanisms. The vulnerability has received a CVSS v3.1 base score of 7.5 (High) from Snyk and 5.3 (Medium) from NVD (GitHub PoC, Snyk Advisory).

The vulnerability allows attackers to access files and directories stored outside the intended folder through path traversal techniques. This can lead to unauthorized access to sensitive files on the system, including application source code, configuration files, and other critical system files (Snyk Advisory).

Currently, there is no fixed version available for the m.static package. The package has virtually zero downloads and was last published 4 years ago, limiting its impact (GitHub PoC).