High severity7.5OSV Advisory· Published Sep 30, 2025· Updated Apr 15, 2026
CVE-2025-11149
CVE-2025-11149
Description
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nubosoftware/node-staticnpm | <= 0.7.11 | — |
Affected products
2- Range: v0.6.0, v0.6.1, v0.6.2, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-27w5-gj5q-82fvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-11149ghsaADVISORY
- github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67nvdWEB
- github.com/github/advisory-database/pull/6248ghsaWEB
- security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183nvdWEB
- security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728nvdWEB
News mentions
0No linked articles in our index yet.