XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems
CVE-2024-52793

Currently unrated

Key Information:

Vendor

Denoland

Status
Std
Vendor
CVE Published:
22 November 2024

What is CVE-2024-52793?

The Deno Standard Library provides APIs for Deno and the Web. Prior to version 1.0.11, http/file-server's serveDir with showDirListing: true option is vulnerable to cross-site scripting when the attacker is a user who can control file names in the source directory on systems with POSIX file names. Exploitation might also be possible on other systems but less trivial due to e.g. lack of file name support for <> in Windows. Version 1.0.11 fixes the issue.

Affected Version(s)

std < 1.0.11

References

https://github.com/denoland/std/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/denoland/std/blob/065296ca5a05a47f9741...
x_refsource_MISC
https://github.com/denoland/std/blob/065296ca5a05a47f9741...
x_refsource_MISC

Timeline

  • Vulnerability published

.