nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium
* Team upload
* Fix CVE-2025-23085:
A memory leak could occur when a remote peer abruptly closes
the socket without sending a GOAWAY notification. Additionally,
if an invalid header was detected by nghttp2, causing the
connection to be terminated by the peer, the same leak was
triggered. This flaw could lead to increased memory consumption
and potential denial of service under certain conditions
(Closes: #
1094134)
* Fix CVE-2025-23166:
The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing
in a background thread, crashing the Node.js process.
Such cryptographic operations are commonly applied to
untrusted inputs. Thus, this mechanism potentially allows
an adversary to remotely crash a Node.js runtime.
(Closes: #
1105832)
* Fix CVE-2025-55131:
A flaw in Node.js's buffer allocation logic can expose uninitialized
memory when allocations are interrupted, when using the `vm` module
with the timeout option. Under specific timing conditions, buffers
allocated with `Buffer.alloc` and other `TypedArray` instances like
`Uint8Array` may contain leftover data from previous operations,
allowing in-process secrets like tokens or passwords to leak or
causing data corruption. While exploitation typically requires precise
timing or in-process code execution, it can become remotely
exploitable when untrusted input influences workload and timeouts,
leading to potential confidentiality and integrity impact.
* Fix CVE-2025-59465:
A malformed `HTTP/2 HEADERS` frame with oversized, invalid
`HPACK` data can cause Node.js to crash by triggering an
unhandled `TLSSocket` error `ECONNRESET`. Instead of safely
closing the connection, the process crashes, enabling a remote
denial of service. This primarily affects applications that
do not attach explicit error handlers to secure sockets,
for example: ``` server.on('secureConnection', socket =>
{ socket.on('error', err => { console.log(err) }) }) ```
* Fix CVE-2025-59466:
async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.
When a stack overflow exception occurs during async_hooks callbacks
(which use TryCatchScope::kFatal), detect the specific "Maximum call
stack size exceeded" RangeError and re-throw it instead of immediately
calling FatalException. This allows user code to catch the exception
with try-catch blocks instead of requiring uncaughtException handlers.
* Fix CVE-2025-23166:
A flaw in Node.js TLS error handling allows remote attackers to crash
or exhaust resources of a TLS server when `pskCallback` or
`ALPNCallback` are in use. Synchronous exceptions thrown during these
callbacks bypass standard TLS error handling paths (tlsClientError and
error), causing either immediate process termination or silent file
descriptor leaks that eventually lead to denial of service. Because
these callbacks process attacker-controlled input during the TLS
handshake, a remote client can repeatedly trigger the issue. This
vulnerability affects TLS servers using PSK or ALPN callbacks across.
* Fix CVE-2026-21710:
A flaw in Node.js HTTP request handling causes an uncaught `TypeError`
when a request is received with a header named `__proto__` and the
application accesses `req.headersDistinct`. When this occurs,
`dest["__proto__"]` resolves to `Object.prototype` rather than
`undefined`, causing `.push()` to be called on a non-array. This
exception is thrown synchronously inside a property getter and cannot
be intercepted by `error` event listeners, meaning it cannot be
handled without wrapping every `req.headersDistinct` access in a
`try/catch`
* Fix CVE-2026-21713:
A flaw in Node.js HMAC verification uses a non-constant-time
comparison when validating user-provided signatures, potentially
leaking timing information proportional to the number of matching
bytes. Under certain threat models where high-resolution timing
measurements are possible, this behavior could be exploited as a
timing oracle to infer HMAC values. Node.js already provides
timing-safe comparison primitives used elsewhere in the codebase,
indicating this is an oversight rather than an intentional design
decision.
* Fix CVE-2026-21714:
A memory leak occurs in Node.js HTTP/2 servers when a client sends
WINDOW_UPDATE frames on stream 0 (connection-level) that cause the
flow control window to exceed the maximum value of 2³¹-1. The server
correctly sends a GOAWAY frame, but the Http2Session object is never
cleaned up.
[dgit import unpatched nodejs 18.20.4+dfsg-1~deb12u2]
projects / nodejs.git / commit