GHSA-3p34-w4f6-5xh2: better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
A directory traversal vulnerability exists in better-helperjs static file server versions up to 3.0.5. The vulnerability arises from improper path validation using string prefix checks, allowing attackers to access files in adjacent directories with names sharing the static root directory's prefix. This flaw enables unauthorized reading of sensitive files outside the intended public directory. The issue is fixed in version 3.0.6 by enforcing exact path boundary checks. No known exploits are reported in the wild.
AI Analysis
Technical Summary
better-helperjs versions <= 3.0.5 contain a directory traversal vulnerability in the production static file server. The vulnerability is due to the use of String.prototype.startsWith() to validate requested paths against the static root directory, which is insufficient because it only checks string prefixes rather than actual directory boundaries. An attacker can exploit this by requesting files in adjacent directories whose names start with the static root directory's prefix, bypassing the validation and reading arbitrary files. The flaw is corrected in version 3.0.6 by requiring the resolved path to start with the root directory plus a path separator or be exactly the root directory, preventing prefix-based bypasses.
Potential Impact
An attacker can read arbitrary files located in directories adjacent to the static root directory if those directories share the same string prefix as the root. This leads to unauthorized disclosure of potentially sensitive information. The vulnerability has a CVSS 3.1 base score of 7.5 (High) with network attack vector, no privileges required, and no user interaction needed. There is no impact on integrity or availability.
Mitigation Recommendations
An official patch is available in better-helperjs version 3.0.6 and later, which fixes the path validation logic to prevent prefix-based directory traversal. Users should upgrade to version 3.0.6 or newer. If upgrading is not immediately possible, users should ensure that no sensitive directories with names sharing the static root directory's prefix are deployed adjacent to the static files directory to mitigate the risk.
GHSA-3p34-w4f6-5xh2: better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
Description
A directory traversal vulnerability exists in better-helperjs static file server versions up to 3.0.5. The vulnerability arises from improper path validation using string prefix checks, allowing attackers to access files in adjacent directories with names sharing the static root directory's prefix. This flaw enables unauthorized reading of sensitive files outside the intended public directory. The issue is fixed in version 3.0.6 by enforcing exact path boundary checks. No known exploits are reported in the wild.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
better-helperjs versions <= 3.0.5 contain a directory traversal vulnerability in the production static file server. The vulnerability is due to the use of String.prototype.startsWith() to validate requested paths against the static root directory, which is insufficient because it only checks string prefixes rather than actual directory boundaries. An attacker can exploit this by requesting files in adjacent directories whose names start with the static root directory's prefix, bypassing the validation and reading arbitrary files. The flaw is corrected in version 3.0.6 by requiring the resolved path to start with the root directory plus a path separator or be exactly the root directory, preventing prefix-based bypasses.
Potential Impact
An attacker can read arbitrary files located in directories adjacent to the static root directory if those directories share the same string prefix as the root. This leads to unauthorized disclosure of potentially sensitive information. The vulnerability has a CVSS 3.1 base score of 7.5 (High) with network attack vector, no privileges required, and no user interaction needed. There is no impact on integrity or availability.
Mitigation Recommendations
An official patch is available in better-helperjs version 3.0.6 and later, which fixes the path validation logic to prevent prefix-based directory traversal. Users should upgrade to version 3.0.6 or newer. If upgrading is not immediately possible, users should ensure that no sensitive directories with names sharing the static root directory's prefix are deployed adjacent to the static files directory to mitigate the risk.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-3p34-w4f6-5xh2
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a3ef76827e9c79719fee793
Added to database: 06/26/2026, 22:04:24 UTC
Last enriched: 06/26/2026, 22:06:49 UTC
Last updated: 06/27/2026, 04:32:42 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.