GHSA-3P34-W4F6-5XH2 is a high-severity path traversal vulnerability in better-helperjs (npm), affecting versions <= 3.0.5. It is fixed in 3.0.6.
Summary A directory traversal vulnerability exists in the production static file server of better-helperjs (<= 3.0.5). Attackers can read arbitrary files located in adjacent directory structures that share the same string prefix as the intended static root directory. Details The framework utilizes a custom static file server engine used when running in NODEENV=production (src/ssr/site-server.ts). Inside the safeStaticPath() method, the requested path is checked against the static root directory to prevent directory traversal out of the designated public folder. However, the validation uses String.prototype.startsWith(): This is logically flawed because startsWith evaluates plain strings rather than structural directory paths. If the application's assigned rootDir is /app/dist/client, and an attacker tries to access /app/dist/client-secrets/database.sqlite, the string "/app/dist/client-secrets/database.sqlite" successfully starts with "/app/dist/client". Because of this bypass, an attacker can read sensitive files stored inside any adjacent directory traversing through the parent, as long as the adjacent directory name begins with the exact same prefix as the target public directory. Impact Severity: High (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Versions: <= 3.0.5 Patched Version: >= 3.0.6 Proof of Concept To reproduce this locally on a vulnerable installation: Assume the framework static configuration serves from a .dist/client directory. Build the project and create an adjacent prefix secret simulating sensitive deployment structure: bash npm run build mkdir -p dist/client-secrets echo "EXPOSEDSECRET" > dist/client-secrets/secret.txt Start the application in Production mode (NODEENV=production tsx server.ts). Using an HTTP client that doesn't pre-normalize /../ paths (e.g., netcat or raw sockets), send a GET request spanning into the prefix-sharing adjacent folder: http GET /%2e%2e%2fclient-secrets/secret.txt HTTP/1.1 Host: localhost:4174 Connection: close The server incorrectly validates the path and responds with HTTP/1.1 200 OK exposing EXPOSEDSECRET. (Note: Developer environment npm run dev servers are immune as static requests are handled defensively by Vite's Dev Middlewares. This vulnerability only triggers upon production starts). Remediation / Patches The path validation block has been updated to mandate exact path separation bounds by enforcing path.sep onto the evaluated traversal string. Workarounds If upgrading is temporarily impossible, users can safeguard their environment by ensuring no sensitive directories are deployed adjacent to their static build client directories sharing the identical word-prefix string.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
GHSA-3P34-W4F6-5XH2 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (3.0.6). Upgrading removes the vulnerable code path.
npm
better-helperjs (<= 3.0.5)better-helperjs → 3.0.6 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-3P34-W4F6-5XH2 is reachable in your applications. Explore open-source security for your team.
See if GHSA-3P34-W4F6-5XH2 is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-3P34-W4F6-5XH2 in your environment →Upgrade better-helperjs to 3.0.6 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-3P34-W4F6-5XH2 is a high-severity path traversal vulnerability in better-helperjs (npm), affecting versions <= 3.0.5. It is fixed in 3.0.6. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
GHSA-3P34-W4F6-5XH2 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
better-helperjs (npm) versions <= 3.0.5 is affected.
Yes. GHSA-3P34-W4F6-5XH2 is fixed in 3.0.6. Upgrade to this version or later.
Whether GHSA-3P34-W4F6-5XH2 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade better-helperjs to 3.0.6 or later.