[Pkg-javascript-devel] Bug#1117504: Bug#1117504: node-static: CVE-2025-11149
Yadd
yadd at debian.org
Tue Oct 7 05:44:30 BST 2025
Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
> Source: node-static
> Version: 0.7.11+~0.7.7-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-static.
>
> CVE-2025-11149[0].
>
> Note this CVE is not very clear, and there is node-static in the
> nubosoftware space. Now the CVE description references [1]. Can you
> clarify on the state of the two projects? Our packaged one seems to
> have still the issue?
IMO, the patch does nothing (a try/catch on an async method won't catch
anything)
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-11149
> https://www.cve.org/CVERecord?id=CVE-2025-11149
> [1] https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
More information about the Pkg-javascript-devel
mailing list