PatchSiren cyber security CVE debrief
CVE-2015-8859 Send Project CVE debrief
CVE-2015-8859 is a medium-severity information disclosure issue in the Node.js send package. According to the NVD record, versions before 0.11.1 are affected, and an attacker may be able to obtain the root path through unspecified vectors. The available record does not describe a more precise attack path, so remediation should focus on upgrading to a fixed release and validating that any dependent applications are no longer exposed to the vulnerable package version.
- Vendor
- Send Project
- Product
- CVE-2015-8859
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-23
- Advisory updated
- 2026-05-13
Who should care
Administrators and developers who deploy or package the Node.js send module, especially systems that still rely on versions earlier than 0.11.1. Security teams should also review applications that transitively include this package in their dependency tree.
Technical summary
NVD lists the vulnerable CPE as send_project:send for Node.js with versionEndExcluding 0.11.1. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, reflecting a network-reachable issue with low confidentiality impact and no integrity or availability impact. The published description is limited: it states that attackers may obtain the root path via unspecified vectors, but it does not provide further exploit details in the supplied corpus.
Defensive priority
Moderate. The issue is publicly known, remotely reachable, and affects confidentiality, but the available record does not indicate code execution, privilege escalation, or a known ransomware association.
Recommended defensive actions
- Upgrade the Node.js send package to version 0.11.1 or later, or the nearest maintained release that includes the fix.
- Inventory applications and services that depend on send directly or transitively and confirm they are not pinned to vulnerable versions.
- If immediate upgrading is not possible, reduce exposure by limiting access to affected services and reviewing whether root-path disclosure would reveal sensitive deployment details.
- Re-scan dependency manifests and lockfiles after remediation to confirm the vulnerable version is no longer present.
Evidence notes
The source corpus provides only a brief description and NVD metadata. NVD identifies the vulnerable version range as anything before 0.11.1 and assigns CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The record also cites an oss-security mailing list post dated 2016-04-20 and a Node Security advisory, but the advisory link is marked broken in NVD's reference metadata. No exploit details, affected deployment patterns, or verified active exploitation are present in the supplied corpus.
Official resources
-
CVE-2015-8859 CVE record
CVE.org
-
CVE-2015-8859 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Broken Link, Patch, Vendor Advisory
Publicly reported before the CVE publication date; the supplied NVD references include an oss-security mailing list post dated 2016-04-20. CVE published date used here is 2017-01-23.