lite-server is a local HTTP file server, or as is it describes itself: Lightweight development node server for serving a web app, providing a fallback for browser history API, loading in the browser, and injecting scripts on the fly..
Observation:
- It is quite popular with 30,346 weekly downloads for its latest version
- It was last published 2 years ago
Resources:
- Project's GitHub source code: https://github.com/johnpapa/lite-server
- Project's npm package: https://www.npmjs.com/package/lite-server
If an attacker makes an HTTP request to a server running with lite-server
and includes control characters that the decodeURI() function is unable
to parse, then it causes lite-server to crash.
- Run the server
npx lite-server --baseDir="public/" - Send an HTTP request which uses unicode characters outside of the ASCII scope of URLs:
curl http://10.100.102.7:3000/..%c0%2fetc%c0%2fhosts - Observe the server crashes
This is happening due to the fact that the logger that is used to print the information uses the decodeURI() function which throws an exception that is unhandled by the library code and propagated up to the Node.js runtime.
Liran Tal