Node-Static and @Nubosoftware/Node-Static Null Byte Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in all versions of the Node-Static package and the @Nubosoftware/Node-Static package. The issue arises because the packages do not properly handle user input that includes null bytes, allowing attackers to send requests that crash the server. This vulnerability can be exploited by accessing a URL with a null byte, which causes the server to fail.

Impact

Exploitation of this vulnerability leads to a server crash, causing a denial-of-service condition where the server becomes unavailable to legitimate users.

Reproduction

The vulnerability can be reproduced by sending a request to the server with a null byte in the URL. This can be done using a tool like curl or Postman, or by writing a simple script that sends the request. The server will crash as a result.

Remediation

A fix for this vulnerability has been implemented in the master branch of the Node-Static repository, but it has not yet been published. Users can monitor the repository for the release of the patched version.