CVE-2025-11149

Summary

This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

Affected Software

VendorProductVersion RangeStatus
n/anode-static0 < *affected
n/a@nubosoftware/node-static0 < *affected

Weaknesses

  • CWE-400: Denial of Service (DoS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References