Security readout for executives and security teams
Plain-English summary
This is a cross-site scripting flaw in Dart http_server directory listings. A malicious path could cause script content to run in a user's browser when viewing a vulnerable listing. Business impact is mainly session, trust, and content integrity risk, not direct server takeover based on the cited CVSS vector.
Executive priority
Prioritize remediation for any exposed or user-accessible directory listing. This is not rated critical, but it is easy to reach remotely and can affect users' browsers. Legacy or internet-facing deployments should be fixed in the next normal security maintenance window.
Technical view
CVE-2014-125098 affects Dart http_server 0.9.0 through 0.9.5. The VirtualDirectory handler in lib/src/virtual_directory.dart mishandles request.uri.path in directory listing output, causing CWE-79 XSS. The issue is remotely reachable, unauthenticated, low complexity, and fixed in version 0.9.6 by commit 27c1cbd8125bb0369e675eb72e48218496e48ffb.
Likely exposure
Exposure is likely limited to applications still using Dart http_server 0.9.0-0.9.5 with VirtualDirectory directory listings reachable by users. Internet-facing file browsers, developer tools, internal dashboards, or legacy Dart services are the main places to check.
Exploitation context
The source bundle says remote attack is possible, but KEV is false and no cited source states active exploitation. Treat it as a credible browser-side risk where vulnerable directory listings are exposed, especially if authenticated users or administrators browse them.
Researcher notes
Evidence supports affected versions, vulnerable function, CWE-79 classification, CVSS v2 5.0, and fixed release 0.9.6. The bundle does not provide proof-of-concept details, active exploitation evidence, or broader affected products beyond Dart http_server.
Mitigation direction
- Upgrade Dart http_server to version 0.9.6 or later.
- If upgrade is delayed, disable public VirtualDirectory directory listings.
- Restrict vulnerable directory listings to trusted networks or authenticated users.
- Review vendor release and patch notes before deploying compensating controls.
- Retire legacy services that depend on unsupported or archived components.
Validation and detection
- Inventory Dart services and dependency lockfiles for http_server versions 0.9.0 through 0.9.5.
- Confirm whether VirtualDirectory directory listings are enabled and reachable.
- Verify deployed artifacts use http_server 0.9.6 or a fixed replacement.
- Review exposed routes for directory listing pages served to browsers.
- Check application logs for unusual encoded or script-like path requests.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2014-125098 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5 (2.0)
- Known Exploited
- No
- Published
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
AV:N/AC:L/Au:N/C:N/I:P/A:N102.9Primary CVE scoreVulnerability scoring details
Base CVSS 2.0 score
5MediumVector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://vuldb.com/?id.225356CVE reference · vdb-entry, technical-description
- https://vuldb.com/?ctiid.225356CVE reference · signature, permissions-required
- https://codereview.chromium.org/225813002CVE reference · related
- https://github.com/dart-archive/http_server/commit/27c1cbd8125bb0369e675eb72e48218496e48ffbCVE reference · patch
- https://github.com/dart-archive/http_server/releases/tag/0.9.6CVE reference · patch
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
