External Control of File Name or Path
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-73: External Control of File Name or Path |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Passing user input directly to res.sendFile in Express can let attackers manipulate file paths and access files outside the intended directory. Input should always be validated and paths canonicalized before using sendFile to prevent unauthorized file access.
Impact#
If exploited, an attacker could read sensitive files on the server (such as configuration files, environment variables, or source code) by submitting crafted requests. This can lead to data breaches, exposure of credentials, and compromise of the application’s security.