Nostromo Web Server Remote Code Execution (CVE-2019-16278)
Overview
Nostromo Web Server Remote Code Execution, tracked as CVE-2019-16278, affects vulnerable Nostromo nhttpd web servers. Nostromo is a small HTTP server, and this issue turns a path validation weakness into remote code execution in affected deployment conditions.
Vulnerability Overview
CVE-2019-16278 is a directory traversal vulnerability in Nostromo's http_verify() function. The Nostromo 1.9.7 changelog explains that missing handling for the carriage return character in the supporting strcutl() logic could allow an attacker to bypass directory traversal checks.
In a non-chrooted nhttpd server, that bypass can cross the intended web root boundary and reach code execution paths. NVD describes the issue as remote code execution through a crafted HTTP request against Nostromo nhttpd through version 1.9.6.
Impact
CVE-2019-16278 has a CVSS 3.1 score of 9.8 and is rated Critical in NVD. The score reflects network reachability, low attack complexity, no required privileges, no user interaction, and high confidentiality, integrity, and availability impact.
Successful exploitation can allow an attacker to execute unauthorized code through the web server, access local files outside the intended document root, modify server-side content, or use the compromised web service as a foothold into the host.
CVE-2019-16278 is also listed in the CISA Known Exploited Vulnerabilities Catalog, which indicates confirmed exploitation in real environments.
Vulnerability Scope
CVE-2019-16278 affects Nostromo nhttpd through 1.9.6. The issue was fixed in Nostromo 1.9.7 according to the project changelog.
The highest-risk exposure is an internet-facing Nostromo server running an affected version, especially when the service is not isolated with chroot-style containment and has access to sensitive filesystem paths or executable CGI behavior.
Lab Focus
This lab focuses on understanding how directory traversal in a web server can become remote code execution when path validation and server isolation fail together. The goal is to practice evaluating web server request handling, filesystem boundaries, and the security value of containment controls.