CVE-2025-11149

NameCVE-2025-11149
DescriptionThis affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1117504

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-static (PTS)bullseye0.7.9-1vulnerable
bookworm, trixie0.7.11+~0.7.7-1vulnerable
forky, sid0.7.11+~0.7.7-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-staticsource(unstable)(unfixed)1117504

Notes

[trixie] - node-static <no-dsa> (Minor issue)
[bookworm] - node-static <no-dsa> (Minor issue)
[bullseye] - node-static <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems