• Security risk: Medium-high
  • Vulnerabilityloopback-component-storage to directory traversal attack


A security leak exposing loopback-component-storage to directory traversal attack. The component was exposed to a vulnerability where an attacker could use a command to retrieve the content of the server.js file of a LoopBack application and crash the server.

Reported by

Juho Nurminen at 2NS - Second Nature Security Oy.

Versions affected

loopback-component-storage 3.0.0 and earlier


Upgrade to loopback-component-storage 3.0.1 or later.

Ensure that your application’s package.json has the following line:

"dependencies": {
  "loopback-component-storage": "^3.0.1",

Then upgrade your project dependencies to use the latest version :

$ cd <app-root>
$ npm update
Tags: security