All node-static versions

[email protected] rejected Risk: 83 MIT

node-static @0.6.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Tarball
83
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
0
Dev Dependencies
7.0 KB
Package Size
Published

simple, compliant file streaming module for node

Maintainers

cloudheadindexzerophstc

Keywords

httpstaticfileserver

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-5g97-whc9-8g7j osv reject AI AI (osv): Directory traversal CVE affects all versions <= 0.7.11 with no fix published; verdict generalizes to all current and future versions until a patched release appears.
osv:GHSA-8r4g-cg4m-x23c osv reject AI AI (osv): DoS via null bytes affects all versions <= 0.7.11 with no fix published; verdict generalizes across versions.

SAST Findings (3)

CRITICAL GHSA-5g97-whc9-8g7j: node-static and @nubosoftware/node-static vulnerable to Directory Traversal osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N node-static and its fork, @nubosoftware/node-static, are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

CRITICAL GHSA-8r4g-cg4m-x23c: Denial of Service in node-static osv

[Always reject] All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access `http://host/%00` and crash the server.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 83. Findings: 2 critical (+80), 1 low (+3), 1 info (+0).

Published to npm: