[Pkg-javascript-devel] Bug#1117504: Bug#1117504: node-static: CVE-2025-11149
Jérémy Lal
kapouer at melix.org
Tue Oct 7 08:34:52 BST 2025
Le mar. 7 oct. 2025 à 06:47, Yadd <yadd at debian.org> a écrit :
> Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
> > Source: node-static
> > Version: 0.7.11+~0.7.7-2
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> team at security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for node-static.
> >
> > CVE-2025-11149[0].
> >
> > Note this CVE is not very clear, and there is node-static in the
> > nubosoftware space. Now the CVE description references [1]. Can you
> > clarify on the state of the two projects? Our packaged one seems to
> > have still the issue?
>
> IMO, the patch does nothing (a try/catch on an async method won't catch
> anything)
>
The patch *does* something, because fs.stat is *not* async,
so it might throw synchronously and never call cb(err).
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2025-11149
> > https://www.cve.org/CVERecord?id=CVE-2025-11149
> > [1]
> https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67
> >
> > Please adjust the affected versions in the BTS as needed.
> >
> > Regards,
> > Salvatore
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20251007/2d1a0140/attachment.htm>
More information about the Pkg-javascript-devel
mailing list