Le 07/10/2025 à 09:34, Jérémy Lal a écrit :
Le mar. 7 oct. 2025 à 06:47, Yadd <[email protected]
<mailto:[email protected]>> a écrit :
Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
> Source: node-static
> Version: 0.7.11+~0.7.7-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: [email protected] <mailto:[email protected]>,
Debian Security Team <[email protected]
<mailto:[email protected]>>
>
> Hi,
>
> The following vulnerability was published for node-static.
>
> CVE-2025-11149[0].
>
> Note this CVE is not very clear, and there is node-static in the
> nubosoftware space. Now the CVE description references [1]. Can you
> clarify on the state of the two projects? Our packaged one seems to
> have still the issue?
IMO, the patch does nothing (a try/catch on an async method won't catch
anything)
The patch *does* something, because fs.stat is *not* async,
so it might throw synchronously and never call cb(err).
fs.stat is async, this code shows it:
import fs from 'fs';
try {
fs.stat('nonexistent', (err) => {
console.error('Should be called before')
});
} catch (e) {
console.info('Never displayed');
process.exit(0);
}
console.warn('executed before fs.stat');
In the current patch, the idea is that a bad argument will throw
immediately, so yes the arg-parsing part of fs.stat is not async ;-)
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
