{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11149", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2025-09-29T09:34:20.420Z", "datePublished": "2025-09-30T05:00:07.700Z", "dateUpdated": "2025-09-30T19:07:09.035Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R"}}], "credits": [{"value": "Unknown", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Denial of Service (DoS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2025-09-30T05:00:07.700Z"}, "descriptions": [{"value": "This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728"}, {"url": "https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67"}], "affected": [{"product": "node-static", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}, {"product": "@nubosoftware/node-static", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T19:06:54.347906Z", "id": "CVE-2025-11149", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T19:07:09.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T19:06:54.347906Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T19:07:05.429Z"}}], "cna": {"credits": [{"lang": "en", "value": "Unknown"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "node-static", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}, {"vendor": "n/a", "product": "@nubosoftware/node-static", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728"}, {"url": "https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67"}], "descriptions": [{"lang": "en", "value": "This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "Denial of Service (DoS)"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2025-09-30T05:00:07.700Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11149", "state": "PUBLISHED", "dateUpdated": "2025-09-30T19:07:09.035Z", "dateReserved": "2025-09-29T09:34:20.420Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2025-09-30T05:00:07.700Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server."}], "id": "CVE-2025-11149", "lastModified": "2025-10-02T19:12:42.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2025-09-30T11:37:39.050", "references": [{"source": "report@snyk.io", "url": "https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "node-static: node-static denial of service", "id": "2400393", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400393"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-11149", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Affected", "package_name": "gjs", "product_name": "Red Hat In-Vehicle Operating System 1"}, {"cpe": "cpe:/o:redhat:rhivos:1", "fix_state": "Affected", "package_name": "polkit", "product_name": "Red Hat In-Vehicle Operating System 1"}], "public_date": "2025-09-30T05:00:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-11149\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11149\nhttps://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67\nhttps://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183\nhttps://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728"], "statement": "The availability risk of this vulnerability is limited to the web server which incorporates the node-static package. The host system is not at risk.", "threat_severity": "Moderate"}

{"created": "2025-10-02T08:46:24.590302+00:00", "updated": "2025-10-02T08:46:24.590384+00:00", "vendors": ["@nubosoftware/node-static_project", "@nubosoftware/node-static_project$PRODUCT$@nubosoftware/node-static", "node-static_project", "node-static_project$PRODUCT$node-static"]}