Express.js View System Exposed: Path Traversal Flaw in `View.prototype.lookup()`

A critical security vulnerability has been identified in the Express.js view rendering system. The `View.prototype.lookup()` function lacks a fundamental path containment check, exposing applications that pass user input to `res.render()` to path traversal attacks. Unlike the protected `res.sendFile()` method, which uses the `send` library's root validation, the view system can be manipulated to read files outside the configured views directory.

The flaw resides in `lib/view.js` lines 104-123, where `path.resolve(root, name)` is used without verifying the resolved path remains within the intended directory. When combined with the automatic `decodeURIComponent()` performed on route parameters, an attacker can craft a request (e.g., `/page/..%2f..%2f..%2fetc%2fpasswd`) that decodes to a relative path like `../../../../etc/passwd`. The view lookup will then resolve this path, potentially accessing sensitive system files. A minimal reproduction using Express 5.2.1 confirms the exploit is functional.

This vulnerability places countless Node.js web applications at immediate risk of data exfiltration. Developers relying on dynamic view names based on user input are particularly exposed. The absence of a containment check, a standard security feature present in other parts of the framework, signals a significant oversight in the view layer's design. Mitigation requires manual input validation or patching the core `lookup` function until an official fix is released by the Express maintainers.