CVE-2015-8856 Openjsf CVE debrief

Who should care

Teams running Node.js applications that expose directory listings with serve-index, especially where untrusted users can create or rename files and directories. Security and platform teams should also care if serve-index is pinned in shared dependencies or used in public-facing static hosting.

Technical summary

NVD classifies the issue as CWE-79 with CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability but requiring user interaction. The vulnerable CPE entry covers serve-index versions before 1.6.3. The attack condition described in the source data is a crafted file or directory name that is rendered unsafely in a listing, enabling script or HTML injection when a user views the page.

Defensive priority

Medium. The issue is externally reachable and can impact confidentiality and integrity, but it requires user interaction and is bounded to affected directory-listing deployments.

Recommended defensive actions

• Upgrade serve-index to version 1.6.3 or later.
• Inventory applications and services that expose directory listings and confirm whether serve-index is in use.
• Disable directory listing features where they are not needed.
• Review any custom rendering or wrapper logic to ensure file and directory names are HTML-escaped before display.
• Verify dependency locks and transitive dependencies so vulnerable serve-index versions are not reintroduced.

Evidence notes

The NVD record lists the affected range as serve-index before 1.6.3 and maps the weakness to CWE-79. It also provides the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. References in the CVE data include an Openwall mailing-list advisory and a NodeSecurity advisory/patch, which support the version boundary and remediation guidance.

Official resources