[Pkg-javascript-devel] Bug#1117504: Bug#1117504: node-static: CVE-2025-11149

Yadd yadd at debian.org
Tue Oct 7 05:44:30 BST 2025


Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
> Source: node-static
> Version: 0.7.11+~0.7.7-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for node-static.
> 
> CVE-2025-11149[0].
> 
> Note this CVE is not very clear, and there is node-static in the
> nubosoftware space. Now the CVE description references [1]. Can you
> clarify on the state of the two projects? Our packaged one seems to
> have still the issue?

IMO, the patch does nothing (a try/catch on an async method won't catch 
anything)

> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2025-11149
>      https://www.cve.org/CVERecord?id=CVE-2025-11149
> [1] https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 



More information about the Pkg-javascript-devel mailing list