CVE-2014-6394

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.

Date published : 2014-10-08

http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html

http://www.securityfocus.com/bid/70100