Details of VAR-202211-1870

ID

VAR-202211-1870

CVE

CVE-2022-25848

TITLE

static-dev-server directory traversal vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-85490

DESCRIPTION

This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. static-dev-server is a simple http server for serving static resource files from a local directory and automatically reloading when the files change. All versions of npm static-dev-server have a directory traversal vulnerability. The vulnerability stems from the lack of validity check of the path when processing directory requests. Attackers can use this vulnerability to retrieve arbitrary files from the underlying file system through specially crafted web requests

Trust: 1.44

sources: NVD: CVE-2022-25848 // CNVD: CNVD-2022-85490

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-85490

AFFECTED PRODUCTS

vendor:	static dev server	model:	static-dev-server	scope:	eq	version:	1.0.0	Trust: 1.0
vendor:	npm	model:	static-dev-server	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-85490 // NVD: CVE-2022-25848

CVSS

SEVERITY

CVSSV2

CVSSV3

report@snyk.io:	CVE-2022-25848
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2022-25848
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2022-85490
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202211-3639
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2022-85490
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

report@snyk.io:	CVE-2022-25848
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0

sources: CNVD: CNVD-2022-85490 // CNNVD: CNNVD-202211-3639 // NVD: CVE-2022-25848 // NVD: CVE-2022-25848

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.0

sources: NVD: CVE-2022-25848

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-3639

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202211-3639

PATCH

title:

Patch for static-dev-server directory traversal vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/362796

Trust: 0.6

sources: CNVD: CNVD-2022-85490

EXTERNAL IDS

db:	NVD	id:	CVE-2022-25848	Trust: 2.2
db:	CNVD	id:	CNVD-2022-85490	Trust: 0.6
db:	CNNVD	id:	CNNVD-202211-3639	Trust: 0.6

sources: CNVD: CNVD-2022-85490 // CNNVD: CNNVD-202211-3639 // NVD: CVE-2022-25848

REFERENCES

url:	https://security.snyk.io/vuln/snyk-js-staticdevserver-3149917	Trust: 2.2
url:	https://gist.github.com/lirantal/5550bcd0bdf92c1b56fbb20e141fe5bd	Trust: 1.6
url:	https://cxsecurity.com/cveshow/cve-2022-25848/	Trust: 0.6

sources: CNVD: CNVD-2022-85490 // CNNVD: CNNVD-202211-3639 // NVD: CVE-2022-25848

SOURCES

db:	CNVD	id:	CNVD-2022-85490
db:	CNNVD	id:	CNNVD-202211-3639
db:	NVD	id:	CVE-2022-25848

LAST UPDATE DATE

2025-04-26T22:49:31.401000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-85490	date:	2022-12-07T00:00:00
db:	CNNVD	id:	CNNVD-202211-3639	date:	2022-12-02T00:00:00
db:	NVD	id:	CVE-2022-25848	date:	2025-04-24T18:15:16.343

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-85490	date:	2022-11-29T00:00:00
db:	CNNVD	id:	CNNVD-202211-3639	date:	2022-11-29T00:00:00
db:	NVD	id:	CVE-2022-25848	date:	2022-11-29T17:15:11.123