[Pkg-javascript-devel] Bug#1105832: nodejs: CVE-2025-23165 CVE-2025-23166 CVE-2025-23167
Salvatore Bonaccorso
carnil at debian.org
Thu May 15 20:47:53 BST 2025
Source: nodejs
Version: 20.19.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for nodejs.
CVE-2025-23165[0]:
| Corrupted pointer in node::fs::ReadFileUtf8(const
| FunctionCallbackInfo<Value>& args) when args[0] is a string
CVE-2025-23166[1]:
| Improper error handling in async cryptographic operations
| crashes process
CVE-2025-23167[2]:
| Improper HTTP header block termination in llhttp
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23165
https://www.cve.org/CVERecord?id=CVE-2025-23165
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
[1] https://security-tracker.debian.org/tracker/CVE-2025-23166
https://www.cve.org/CVERecord?id=CVE-2025-23166
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
[2] https://security-tracker.debian.org/tracker/CVE-2025-23167
https://www.cve.org/CVERecord?id=CVE-2025-23167
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list