CVE-2025-11149

Published September 30th, 2025

View on NVD ↗

CVSS v3

7.5

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

cloudhead/node-static

rfc 2616 compliant HTTP static-file server module, with built-in caching.

GitHub

2.16K