Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit :
Source: node-static
Version: 0.7.11+~0.7.7-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-static.
CVE-2025-11149[0].
Note this CVE is not very clear, and there is node-static in the
nubosoftware space. Now the CVE description references [1]. Can you
clarify on the state of the two projects? Our packaged one seems to
have still the issue?
IMO, the patch does nothing (a try/catch on an async method won't catch
anything)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11149
https://www.cve.org/CVERecord?id=CVE-2025-11149
[1]
https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
