CVE-2023-26152: 
JavaScript vulnerability analysis and mitigation

CVE-2023-26152 is a Directory Traversal vulnerability affecting all versions of the static-server package. The vulnerability exists due to improper input sanitization in the validPath function of server.js. The vulnerability was discovered in February 2023 and publicly disclosed in June 2023, affecting the static-server package which serves as a local HTTP file server for static resource files (Snyk Advisory, GitHub POC).

The vulnerability stems from a flawed implementation of path validation in the static-server package. The issue occurs in the validPath function where the code attempts to jail requests to a specific root directory. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS v3.1 base score is 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Snyk Advisory).

The vulnerability allows attackers to access files and directories stored outside the intended folder through directory traversal techniques. This can lead to unauthorized access to sensitive files and potential information disclosure. The package has significant usage with reported 40,055 weekly downloads at the time of the advisory (GitHub POC).

There is currently no fixed version available for the static-server package. The source code repository on GitHub is archived and the package was last published 5 years ago (Snyk Advisory).