[Pkg-javascript-devel] Bug#1117504: Bug#1117504: node-static: CVE-2025-11149

Salvatore Bonaccorso carnil at debian.org
Tue Oct 7 09:01:25 BST 2025


Hi Jeremy, Yadd,

On Tue, Oct 07, 2025 at 09:34:52AM +0200, Jérémy Lal wrote:
> Le mar. 7 oct. 2025 à 06:47, Yadd <yadd at debian.org> a écrit :
> 
> > Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
> > > Source: node-static
> > > Version: 0.7.11+~0.7.7-2
> > > Severity: important
> > > Tags: security upstream
> > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> > team at security.debian.org>
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for node-static.
> > >
> > > CVE-2025-11149[0].
> > >
> > > Note this CVE is not very clear, and there is node-static in the
> > > nubosoftware space. Now the CVE description references [1]. Can you
> > > clarify on the state of the two projects? Our packaged one seems to
> > > have still the issue?
> >
> > IMO, the patch does nothing (a try/catch on an async method won't catch
> > anything)
> >
> 
> The patch *does* something, because fs.stat is *not* async,
> so it might throw synchronously and never call cb(err).

Can you additionally clarify, we seem to use the cloudhead/node-static
fork, but the commit tagged in a earlier version does not seem to be
actually applied. Looking through the git history I do not either see
i reverted.

With the risk of looking like confused  would appreciate if someone
can enlight me on what is happening here.

Regards,
Salvatore



More information about the Pkg-javascript-devel mailing list