[Pkg-javascript-devel] Bug#1094134: nodejs: CVE-2025-23083 CVE-2025-23085
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 24 21:21:37 GMT 2025
Source: nodejs
Version: 20.18.1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for nodejs.
CVE-2025-23083[0]:
| With the aid of the diagnostics_channel utility, an event can be
| hooked into whenever a worker thread is created. This is not limited
| only to workers but also exposes internal workers, where an instance
| of them can be fetched, and its constructor can be grabbed and
| reinstated for malicious usage. This vulnerability affects
| Permission Model users (--permission) on Node.js v20, v22, and v23.
CVE-2025-23085[1]:
| GOAWAY HTTP/2 frames cause memory leak outside heap
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23083
https://www.cve.org/CVERecord?id=CVE-2025-23083
[1] https://security-tracker.debian.org/tracker/CVE-2025-23085
https://www.cve.org/CVERecord?id=CVE-2025-23085
[2] https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list