[Pkg-javascript-devel] Bug#1117504: Bug#1117504: node-static: CVE-2025-11149

[Yadd]

Le 07/10/2025 à 09:34, Jérémy Lal a écrit :
> 
> 
> Le mar. 7 oct. 2025 à 06:47, Yadd <yadd at debian.org 
> <mailto:yadd at debian.org>> a écrit :
> 
>     Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
>      > Source: node-static
>      > Version: 0.7.11+~0.7.7-2
>      > Severity: important
>      > Tags: security upstream
>      > X-Debbugs-Cc: carnil at debian.org <mailto:carnil at debian.org>,
>     Debian Security Team <team at security.debian.org
>     <mailto:team at security.debian.org>>
>      >
>      > Hi,
>      >
>      > The following vulnerability was published for node-static.
>      >
>      > CVE-2025-11149[0].
>      >
>      > Note this CVE is not very clear, and there is node-static in the
>      > nubosoftware space. Now the CVE description references [1]. Can you
>      > clarify on the state of the two projects? Our packaged one seems to
>      > have still the issue?
> 
>     IMO, the patch does nothing (a try/catch on an async method won't catch
>     anything)
> 
> 
> The patch *does* something, because fs.stat is *not* async,
> so it might throw synchronously and never call cb(err).

fs.stat is async, this code shows it:

   import fs from 'fs';
   try {
     fs.stat('nonexistent', (err) => {
       console.error('Should be called before')
     });
   } catch (e) {
     console.info('Never displayed');
     process.exit(0);
   }
   console.warn('executed before fs.stat');


In the current patch, the idea is that a bad argument will throw 
immediately, so yes the arg-parsing part of fs.stat is not async ;-)