CVE-2024-52793: XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems

5.1 CVSS

Description

The Deno Standard Library provides APIs for Deno and the Web. Prior to version 1.0.11, `http/file-server`'s `serveDir` with `showDirListing: true` option is vulnerable to cross-site scripting when the attacker is a user who can control file names in the source directory on systems with POSIX file names. Exploitation might also be possible on other systems but less trivial due to e.g. lack of file name support for `<>` in Windows. Version 1.0.11 fixes the issue.

Classification

CVE ID: CVE-2024-52793

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.1

Affected Products

Vendor: denoland

Product: std

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/denoland/std/security/advisories/GHSA-32fx-h446-h8pf
https://github.com/denoland/std/blob/065296ca5a05a47f9741df8f99c32fae4f960070/http/file_server.ts#L507
https://github.com/denoland/std/blob/065296ca5a05a47f9741df8f99c32fae4f960070/http/file_server.ts#L532

Timeline

2024-11-27 14:42:05 UTC
CVE

XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems