node-static @0.7.11
simple, compliant file streaming module for node
Maintainers
Keywords
Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| mime | ^1.2.9 | auto_approved |
| colors | >=0.6.0 | auto_approved |
| optimist | >=0.3.4 | auto_approved |
Dev Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| vows | latest | auto_approved |
| request | latest | No greenflagged match |
Transitive Dependency Tree
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-5g97-whc9-8g7j |
osv | reject | AI | AI (osv): Directory traversal CVE affects all versions <= 0.7.11 with no fix published; verdict generalizes to all current and future versions until a patched release appears. | |
osv:GHSA-8r4g-cg4m-x23c |
osv | reject | AI | AI (osv): DoS via null bytes affects all versions <= 0.7.11 with no fix published; verdict generalizes across versions. |
SAST Findings (3)
CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N node-static and its fork, @nubosoftware/node-static, are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.
All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access `http://host/%00` and crash the server.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 93. Findings: 2 critical (+80), 1 medium (+10), 1 low (+3), 1 info (+0).
Commit: e59fe21dffbe Browse source
Published to npm: