VYPR
High severity7.5OSV Advisory· Published Sep 30, 2025· Updated Apr 15, 2026

CVE-2025-11149

CVE-2025-11149

Description

This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@nubosoftware/node-staticnpm
<= 0.7.11

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.