Pierre-Élie Fauché reports:
When using serve-static middleware version < 1.7.2 and it's configured to mount at the root it creates an open redirect on the site.
For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to www.google.com
Update to version 1.7.2 or greater. It also appears that you can set 'redirect: false' option to disable this behavior.
Created nodejs-serve-static tracking bugs for this issue:
Affects: fedora-all [bug 1181918]
Affects: epel-6 [bug 1181919]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.