Pierre-Élie Fauché reports: When using serve-static middleware version < 1.7.2 and it's configured to mount at the root it creates an open redirect on the site. For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to www.google.com Recommendations Update to version 1.7.2 or greater. It also appears that you can set 'redirect: false' option to disable this behavior. References https://github.com/expressjs/serve-static/issues/26
Created nodejs-serve-static tracking bugs for this issue: Affects: fedora-all [bug 1181918] Affects: epel-6 [bug 1181919]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.