npm package
@nubosoftware/node-static
pkg:npm/%40nubosoftware/node-static
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11149 | Hig | 7.5 | <= 0.7.11 | — | Sep 30, 2025 | This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server. | |
| CVE-2023-26111 | — | <= 0.7.11 | — | Mar 6, 2023 | All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function. |
- affected <= 0.7.11
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
- CVE-2023-26111Mar 6, 2023affected <= 0.7.11
All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.