
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le mar. 7 oct. 2025 à 06:47, Yadd <<a href="mailto:yadd@debian.org">yadd@debian.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :<br>

> Source: node-static<br>

> Version: 0.7.11+~0.7.7-2<br>

> Severity: important<br>

> Tags: security upstream<br>

> X-Debbugs-Cc: <a href="mailto:carnil@debian.org" target="_blank">carnil@debian.org</a>, Debian Security Team <<a href="mailto:team@security.debian.org" target="_blank">team@security.debian.org</a>><br>

> <br>

> Hi,<br>

> <br>

> The following vulnerability was published for node-static.<br>

> <br>

> CVE-2025-11149[0].<br>

> <br>

> Note this CVE is not very clear, and there is node-static in the<br>

> nubosoftware space. Now the CVE description references [1]. Can you<br>

> clarify on the state of the two projects? Our packaged one seems to<br>

> have still the issue?<br>

<br>

IMO, the patch does nothing (a try/catch on an async method won't catch <br>

anything)<br></blockquote><div><br></div><div>The patch *does* something, because fs.stat is *not* async,</div><div>so it might throw synchronously and never call cb(err).</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<br>

> If you fix the vulnerability please also make sure to include the<br>

> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.<br>

> <br>

> For further information see:<br>

> <br>

> [0] <a href="https://security-tracker.debian.org/tracker/CVE-2025-11149" rel="noreferrer" target="_blank">https://security-tracker.debian.org/tracker/CVE-2025-11149</a><br>

>      <a href="https://www.cve.org/CVERecord?id=CVE-2025-11149" rel="noreferrer" target="_blank">https://www.cve.org/CVERecord?id=CVE-2025-11149</a><br>

> [1] <a href="https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67" rel="noreferrer" target="_blank">https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67</a><br>

> <br>

> Please adjust the affected versions in the BTS as needed.<br>

> <br>

> Regards,<br>

> Salvatore<br>

> <br>

</blockquote></div></div>