{"id":"CVE-2025-11149","details":"This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.","aliases":["GHSA-27w5-gj5q-82fv"],"modified":"2026-04-10T05:21:36.735891Z","published":"2025-09-30T11:37:39.050Z","references":[{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3330728"},{"type":"FIX","url":"https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudhead/node-static","events":[{"introduced":"0"},{"fixed":"78879dc665f0f7137063794b6e0b6203a81c7f67"}]}],"versions":["v0.6.0","v0.6.1","v0.6.2","v0.6.8","v0.6.9","v0.7.1","v0.7.3","v0.7.5","v0.7.6","v0.7.7","v0.7.8","v0.7.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}