[Pkg-javascript-devel] Bug#1117504: Bug#1117504: node-static: CVE-2025-11149
Yadd
yadd at debian.org
Tue Oct 7 13:05:50 BST 2025
Le 07/10/2025 à 09:34, Jérémy Lal a écrit :
>
>
> Le mar. 7 oct. 2025 à 06:47, Yadd <yadd at debian.org
> <mailto:yadd at debian.org>> a écrit :
>
> Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
> > Source: node-static
> > Version: 0.7.11+~0.7.7-2
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org <mailto:carnil at debian.org>,
> Debian Security Team <team at security.debian.org
> <mailto:team at security.debian.org>>
> >
> > Hi,
> >
> > The following vulnerability was published for node-static.
> >
> > CVE-2025-11149[0].
> >
> > Note this CVE is not very clear, and there is node-static in the
> > nubosoftware space. Now the CVE description references [1]. Can you
> > clarify on the state of the two projects? Our packaged one seems to
> > have still the issue?
>
> IMO, the patch does nothing (a try/catch on an async method won't catch
> anything)
>
>
> The patch *does* something, because fs.stat is *not* async,
> so it might throw synchronously and never call cb(err).
fs.stat is async, this code shows it:
import fs from 'fs';
try {
fs.stat('nonexistent', (err) => {
console.error('Should be called before')
});
} catch (e) {
console.info('Never displayed');
process.exit(0);
}
console.warn('executed before fs.stat');
In the current patch, the idea is that a bad argument will throw
immediately, so yes the arg-parsing part of fs.stat is not async ;-)
More information about the Pkg-javascript-devel
mailing list