40au-isteven-angular-multiselect (=4.0.0), @abcd19/st-grid (=3.1.0) +724 more potentially affected by CVE-2023-26111 via node-static (>=0.5.6 <=0.7.11)

node-static NPM version =0.5.6, =1.0.5, =0.0.5, =0.0.1, =0.0.1, =17.0.6 - @beadswap/lib =0.0.1 and more Source cves: CVE-2023-26111 Source advisory: OSV:GHSA-5G97-WHC9-8G7J...

CVE-2023-26111

All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith method in the servePath function...

Directory traversal

All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith method in the servePath function...

CVE-2023-26111

All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith method in the servePath function...

CVE-2023-26111

CVE-2023-26111 affects node-static and its fork @nubosoftware/node-static, with a Directory Traversal flaw caused by improper file path sanitization in the servePath function’s startsWith() method. All versions of both packages are reported vulnerable. Impact: potential access to files outside th...

PT-2023-20498 · Unknown · Node-Static

Name of the Vulnerable Software and Affected Versions: @node-static versions all node-static versions all Description: The issue arises from improper file path sanitization in the startsWith method within the servePath function, leading to Directory Traversal. This allows attackers to access file...

node-static 路径遍历漏洞

node-static is an rfc 2616 compliant HTTP static file server module with built-in caching. A security vulnerability exists in node-static due to improper file path cleanup in the startsWith method of the servePath function...

277snippet-cli (>=1.0.0 <=1.0.2), 40au-isteven-angular-multiselect (=4.0.0) +740 more potentially affected by CVE-2023-26111 via node-static (>=0.5.6 <=0.7.9)

node-static NPM version =0.5.6, =1.0.0, =1.0.5, =0.0.5, =0.0.1, =0.0.1, =17.0.6 and more Source cves: CVE-2023-26111 Source advisory: SNYK:JS-NODESTATIC-3149928...

Directory Traversal

Overview node-static is a rfc 2616 compliant HTTP static-file server module, with built-in caching. Affected versions of this package are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith method in the servePath function. PoC js curl --path-as-is...

Directory Traversal

Overview @nubosoftware/node-static is a simple, compliant file streaming module for node Affected versions of this package are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith method in the servePath function. PoC js curl --path-as-is...

Denial of Service in node-static

All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server...

40au-isteven-angular-multiselect (=4.0.0), @abcd19/st-grid (=3.1.0) +724 more potentially affected by CVE-2025-11149 via node-static (>=0.5.6 <=0.7.11)

node-static NPM version =0.5.6, =1.0.5, =0.0.5, =0.0.1, =0.0.1, =17.0.6 - @beadswap/lib =0.0.1 and more Source cves: CVE-2025-11149 Source advisory: OSV:GHSA-8R4G-CG4M-X23C...

GHSA-8R4G-CG4M-X23C Denial of Service in node-static

All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server...

PT-2025-39959

Name of the Vulnerable Software and Affected Versions node-static affected versions not specified @nubosoftware/node-static affected versions not specified Description The software does not properly handle user input containing null bytes. This can allow attackers to access http://host/%00 and...

Denial of Service (DoS)

Overview node-static is a rfc 2616 compliant HTTP static-file server module, with built-in caching. Affected versions of this package are vulnerable to Denial of Service DoS. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%...

Denial of Service (DoS)

Overview @nubosoftware/node-static is a simple, compliant file streaming module for node Affected versions of this package are vulnerable to Denial of Service DoS. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and cras...

277snippet-cli (>=1.0.0 <=1.0.2), 40au-isteven-angular-multiselect (=4.0.0) +740 more potentially affected by CVE-2025-11149 via node-static (>=0.5.6 <=0.7.9)

node-static NPM version =0.5.6, =1.0.0, =1.0.5, =0.0.5, =0.0.1, =0.0.1, =17.0.6 and more Source cves: CVE-2025-11149 Source advisory: SNYK:JS-NODESTATIC-1297183...

Directory Traversal

node-static is vulnerable to directory traversal. When the static HTTP server is run with indexFile option and can somehow be controlled by a malicious local user, the directory traversal ../ characters can be injected to access confidential files outside of the web directory. This can also...

Denial of Service

Overview All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server. Recommendation No fix is currently available. Consider using an alternativ...

Open Redirect

Overview All versions of node-static are vulnerable to Open Redirect. The package fails to sanitize URLs and may redirect users to domains passed through the URL. The possible redirect domains are restricted to hosts whose name matches a served folder from the application. For example if the...