Suppose someone adds directory('.') to connect(). It'll pass the check for non-empty root and if a requestor asks for /../../../../../../, it'll also pass the check for malicious path because path.indexOf(root) is true since the path starts with ..
So creating directory('.') in your middleware stack has the unintended result of giving someone listing rights on your whole computer (subject to permissions of web server user).
The directory middleware should probably resolve the root parameter to an absolute path before using it.
The easiest solution to this is to change line 56 in directory.js from
, root = normalize(root);
, root = path.resolve(root);
which normalizes and makes the path absolute.
Incidentally, it might also be a good idea to allow disabling the following of symlinks (although this would require doing lstat on every path component after the root)