{"url":"http://public2.vulnerablecode.io/api/packages/88993?format=json","purl":"pkg:npm/st@0.3.1","type":"npm","namespace":"","name":"st","version":"0.3.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.2.2","latest_non_vulnerable_version":"1.2.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12529?format=json","vulnerability_id":"VCID-2vqb-1nbk-37fc","summary":"URL Redirection to Untrusted Site (Open Redirect)\nAn attacker is able to craft a request that results in an HTTP (redirect) to an entirely different domain.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16224","reference_id":"","reference_type":"","scores":[{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44053","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16224"},{"reference_url":"https://www.npmjs.com/advisories/547","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/547"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16224","reference_id":"CVE-2017-16224","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16224"},{"reference_url":"https://github.com/advisories/GHSA-72fg-jqhx-c68p","reference_id":"GHSA-72fg-jqhx-c68p","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72fg-jqhx-c68p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53404?format=json","purl":"pkg:npm/st@1.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/st@1.2.2"}],"aliases":["CVE-2017-16224","GHSA-72fg-jqhx-c68p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2vqb-1nbk-37fc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11791?format=json","vulnerability_id":"VCID-5ya1-38zx-x7eu","summary":"Open Redirect\nAn attacker is able to craft a request that results in an `HTTP ` (redirect) to an entirely different domain.","references":[],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53404?format=json","purl":"pkg:npm/st@1.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/st@1.2.2"}],"aliases":["GMS-2017-323"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ya1-38zx-x7eu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10473?format=json","vulnerability_id":"VCID-pknd-efdz-pqcp","summary":"Static file leakage\nAs stated on \"The NPM Blog\", \"it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files.\" The NPM registry relies on st, meaning that all the versions of all the npms published prior to March th may be corrupted. But there is no evidence that they *have* been corrupted.","references":[{"reference_url":"http://blog.npmjs.org/post/80277229932/newly-paranoid-maintainers","reference_id":"","reference_type":"","scores":[],"url":"http://blog.npmjs.org/post/80277229932/newly-paranoid-maintainers"},{"reference_url":"https://github.com/isaacs/st/commit/f961d4a839a76a423b212c716776d583b8d120e9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/isaacs/st/commit/f961d4a839a76a423b212c716776d583b8d120e9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50697?format=json","purl":"pkg:npm/st@0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2vqb-1nbk-37fc"},{"vulnerability":"VCID-5ya1-38zx-x7eu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/st@0.3.2"}],"aliases":["GMS-2014-2"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pknd-efdz-pqcp"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/st@0.3.1"}