Description

This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

INFO

Published Date :

2025-09-30T05:00:07.700Z

Last Modified :

2025-09-30T19:07:09.035Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2025-11149 vulnerability.

Vendors Products
@nubosoftware/node-static Project
  • @nubosoftware/node-static
Node-static Project
  • Node-static
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-11149.

URL Resource
https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact