Versions of http-live-simulator prior to 1.0.7 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. For example: curl --path-as-is http://localhost:8080//../../../../etc/passwd.

Recommendation

Upgrade to version 1.0.7

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-16479
• https://hackerone.com/reports/411405
• GHSA-7c9w-qmrq-ff8r
• https://github.com/nodejs/security-wg/blob/master/vuln/npm/486.json
• https://www.npmjs.com/advisories/772