CVE-2025-11149
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-02
Assigner: Snyk
Description
Description
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nubosoftware | node-static | * |
| cloudhead | node-static | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in all versions of the node-static package and the @nubosoftware/node-static package. It occurs because the package fails to handle exceptions when user input contains null bytes. Attackers can exploit this by sending requests with null bytes (e.g., http://host/%00), which causes the server to crash.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by crashing the server when it receives specially crafted requests containing null bytes. This can lead to service downtime and unavailability.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70