CVE-2025-11149: node-static failure to catch exception can result in server crash
7.5
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-static | npm | <= 0.7.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability lies in the node-static package's failure to handle exceptions when processing file paths. Specifically, the fs.stat function in Node.js throws an exception if the path contains a null byte (%00). The original code called fs.stat directly in multiple functions (serveDir, serveFile, servePath, and respondGzip) without any error handling for this specific case. An attacker could craft a URL with a null byte, which would be passed to one of these functions. The subsequent call to fs.stat would trigger an unhandled exception, causing the Node.js process to crash, resulting in a denial of service. The patch addresses this by introducing a tryStat wrapper function that encloses the fs.stat call within a try...catch block, gracefully handling the exception and preventing the server from crashing. The vulnerable functions are those that directly or indirectly handle user-provided paths and use the vulnerable fs.stat call.
Vulnerable functions
Server.serveDirlib/node-static.js
Server.serveFilelib/node-static.js
Server.servePathlib/node-static.js
Server.respondGziplib/node-static.js