Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-11149
CVE-2025-11149:
JavaScript vulnerability analysis and mitigation
Overview
CVE-2025-11149 affects all versions of the node-static package and @nubosoftware/node-static package. The vulnerability was discovered and disclosed on September 30, 2025, and is related to the package's failure to properly handle null bytes in user input (NVD).
Technical details
The vulnerability is classified as a Denial of Service (DoS) issue with a CVSS v3.1 base score of 7.5 (HIGH). The vulnerability is tracked under CWE-400 (Uncontrolled Resource Consumption). The technical root cause stems from the package's failure to catch exceptions when processing user input containing null bytes (Snyk).
Impact
When exploited, this vulnerability allows attackers to crash the server by accessing http://host/%00. The attack results in a total loss of availability, causing the system to become completely unavailable to legitimate users (Snyk).
Mitigation and workarounds
A fix has been pushed to the master branch of the project but has not yet been published as a new version. The fix involves implementing proper exception handling for null byte inputs (GitHub Commit).
Additional resources
Source: This report was generated using AI
Related JavaScript vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management