Listen to this Post
How the mentioned CVE works:
The node-static package is designed to serve static files. When processing a client request for a URL, it fails to properly handle paths containing a null byte character (%00). The internal `path.normalize` function throws a system exception when it encounters this invalid character sequence. The node-static application does not implement a try-catch block around this critical path normalization operation. Consequently, the unhandled exception propagates to the top of the Node.js event loop, causing the entire server process to terminate abruptly. This results in a Denial of Service, making the web server unavailable to all users.
Platform: Node.js
Version: All
Vulnerability : DoS
Severity: High
date: 2025-09-30
Prediction: Patch by 2025-10-07
What Undercode Say:
Curl command to trigger the crash curl -v "http://vulnerable-server:8080/%00"
// Example of a vulnerable code path in node-static
const path = require('path');
function normalizePath(str) {
// This will throw with null bytes
return path.normalize(str); // Uncaught exception crashes process
}
How Exploit:
Send HTTP request to `/`%00“.
Protection from this CVE:
Update node-static package. Implement input sanitization. Use try-catch blocks.
Impact:
Server Denial of Service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
