Miggo Logo
Miggo Vulnerability Database
CVE-2025-11149

CVE-2025-11149: node-static failure to catch exception can result in server crash

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-11149
GHSA ID
GHSA-27w5-gj5q-82fv
EPSS Score
0.10661%
CWE
CWE-400
Published
9/30/2025
Updated
9/30/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-staticnpm<= 0.7.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the node-static package's failure to handle exceptions when processing file paths. Specifically, the fs.stat function in Node.js throws an exception if the path contains a null byte (%00). The original code called fs.stat directly in multiple functions (serveDir, serveFile, servePath, and respondGzip) without any error handling for this specific case. An attacker could craft a URL with a null byte, which would be passed to one of these functions. The subsequent call to fs.stat would trigger an unhandled exception, causing the Node.js process to crash, resulting in a denial of service. The patch addresses this by introducing a tryStat wrapper function that encloses the fs.stat call within a try...catch block, gracefully handling the exception and preventing the server from crashing. The vulnerable functions are those that directly or indirectly handle user-provided paths and use the vulnerable fs.stat call.

Vulnerable functions

Server.serveDir
lib/node-static.js
The function `serveDir` in the `Server` class calls `fs.stat` without handling exceptions. A malicious path containing a null byte, when passed to `fs.stat`, will cause an unhandled exception and crash the server. The patch replaces the direct call to `fs.stat` with a new `tryStat` function that wraps the call in a try-catch block.
Server.serveFile
lib/node-static.js
The function `serveFile` in the `Server` class calls `fs.stat` without handling exceptions. A malicious path containing a null byte, when passed to `fs.stat`, will cause an unhandled exception and crash the server. The patch replaces the direct call to `fs.stat` with a new `tryStat` function that wraps the call in a try-catch block.
Server.servePath
lib/node-static.js
The function `servePath` in the `Server` class calls `fs.stat` without handling exceptions. A malicious path containing a null byte, when passed to `fs.stat`, will cause an unhandled exception and crash the server. The patch replaces the direct call to `fs.stat` with a new `tryStat` function that wraps the call in a try-catch block.
Server.respondGzip
lib/node-static.js
The function `respondGzip` in the `Server` class calls `fs.stat` without handling exceptions when checking for a gzipped version of a file. A malicious path that leads to the creation of a `gzFile` path with a null byte will cause an unhandled exception and crash the server. The patch replaces the direct call to `fs.stat` with a new `tryStat` function that wraps the call in a try-catch block.

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* t** p**k*** no**-st*ti*; *ll v*rsions o* t** p**k*** @nu*oso*tw*r*/no**-st*ti*. T** p**k*** **ils to **t** *n *x**ption w**n us*r input in*lu**s null *yt*s. T*is *llows *tt**k*rs to ****ss *ttp://*ost/%** *n* *r*s* t** s*

Reasoning

T** vuln*r**ility li*s in t** `no**-st*ti*` p**k***'s **ilur* to **n*l* *x**ptions w**n pro**ssin* *il* p*t*s. Sp**i*i**lly, t** `*s.st*t` *un*tion in No**.js t*rows *n *x**ption i* t** p*t* *ont*ins * null *yt* (`%**`). T** ori*in*l *o** **ll** `*s.