What happened

CISA added CVE-2019-16278 (Nostromo nhttpd) to the Known Exploited Vulnerabilities catalog on 2024-11-07, signaling confirmed exploitation in the wild and setting a remediation due date of 2024-11-28 CISA KEV. The issue is a directory traversal flaw in the http_verify() function that, when the server is not chrooted, enables remote code execution (RCE) NVD CVE-2019-16278. MITRE tracks this as CVE-2019-16278 with CWE-22 classification for path traversal weaknesses MITRE CVE.

Why it matters

Inclusion in the CISA KEV means federal agencies must remediate because the vulnerability is known to be actively exploited by adversaries, not just theoretically exploitable CISA KEV. A successful traversal lets an attacker escape the document root and reach arbitrary filesystem locations; on non-chrooted Nostromo deployments this can escalate to RCE, resulting in full host compromise NVD CVE-2019-16278. The flaw is categorized under CWE-22 (directory traversal), a class frequently targeted due to simple HTTP request vectors and broad impact on exposed web servers MITRE CVE.

Technical detail

The vulnerability resides in Nostromo’s request verification path, specifically the http_verify() function, which insufficiently validates and normalizes user-supplied URLs before mapping them to filesystem paths NVD CVE-2019-16278. By crafting traversal sequences, an attacker can access directories above the configured document root, violating intended isolation guarantees MITRE CVE. When Nostromo is deployed without a chroot jail, escaping the document root exposes system paths and can be leveraged to achieve code execution on the underlying host, elevating the severity from information disclosure to full RCE NVD CVE-2019-16278.

Practically, this means HTTP requests targeting path traversal can reach sensitive files or executable handlers that were never meant to be web-accessible; where execution is possible, that path becomes an initial access and persistence vector for attackers NVD CVE-2019-16278. Because the attack surface is the HTTP path component, exploitation attempts blend in with routine web traffic and can be scripted for scale against any internet-exposed Nostromo instance CISA KEV.

Defense

Mandated action per CISA: apply mitigations per vendor instructions or discontinue use if mitigations are unavailable; the due date set by CISA is 2024-11-28 for impacted federal enterprises CISA KEV. Given the risk is highest when not running in a chroot jail, prioritize configurations that hard-jail the web server to limit filesystem exposure even if attempts occur NVD CVE-2019-16278. Treat all externally reachable Nostromo endpoints as at-risk until configuration and patch status are verified against authoritative guidance for CVE-2019-16278 MITRE CVE.

Compensating controls: place Nostromo behind a reverse proxy or WAF that rejects or normalizes path traversal sequences before they reach the origin, reducing exploit reliability for CWE-22 flaws NVD CVE-2019-16278. Monitor HTTP logs for anomalous pathing consistent with traversal attempts and correlate with server-side errors or unexpected file access events to detect exploitation activity early MITRE CVE. If the service must remain exposed during remediation, restrict source IPs to trusted ranges to shrink the attack surface while you validate fixes CISA KEV.

Lyrie Verdict

This is a low-friction web path exploit with confirmed in-the-wild use, and it hits the sweet spot for automated scanning and smash-and-grab RCE on unchrooted hosts CISA KEV. Lyrie’s autonomous sensors flag traversal sequences targeting endpoints associated with CVE-2019-16278 and correlate them in real time with post-request host behaviors indicative of escape from the document root, enabling machine-speed containment before execution chains complete NVD CVE-2019-16278. Against rogue-AI-driven spray campaigns, Lyrie’s value is the closed-loop, sub-second decisioning: detect traversal probes, confirm impact on a non-chrooted Nostromo, and isolate the workload automatically—no human dwell-time window to convert a path bug into RCE MITRE CVE.