Node.js 8.5.0 gater than equal and less than 8.6.0 Directory Traversal

Rejah Rehim
Published on
01 Oct 2021

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files. The reason is that Node.js 8.5.0 has a logic error when performing the normalize operation on the directory, which leads to the jump to the upper level(such as ../../../foo/../../../../etc/passwd).


This logic error causes the normalize function to return an error result, bypassing the check, and causing arbitrary file reading vulnerabilities.

Mitigation / Precaution

In order to patch this vulnerability, we suggest you to upgrade Node js to the latest version.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment