-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-static | npm | <= 0.7.11 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the node-static package's failure to handle exceptions when processing file paths. Specifically, the fs.stat function in Node.js throws an exception if the path contains a null byte (%00). The original code called fs.stat directly in multiple functions (serveDir, serveFile, servePath, and respondGzip) without any error handling for this specific case. An attacker could craft a URL with a null byte, which would be passed to one of these functions. The subsequent call to fs.stat would trigger an unhandled exception, causing the Node.js process to crash, resulting in a denial of service. The patch addresses this by introducing a tryStat wrapper function that encloses the fs.stat call within a try...catch block, gracefully handling the exception and preventing the server from crashing. The vulnerable functions are those that directly or indirectly handle user-provided paths and use the vulnerable fs.stat call.
JavaScriptJavaScriptOngoing coverage of React2Shell