[Pkg-javascript-devel] Bug#1105832: nodejs: CVE-2025-23165 CVE-2025-23166 CVE-2025-23167
Jérémy Lal
kapouer at melix.org
Thu May 15 21:50:34 BST 2025
Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso <carnil at debian.org> a
écrit :
> Source: nodejs
> Version: 20.19.0+dfsg1-1
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> team at security.debian.org>
>
> Hi,
>
> The following vulnerabilities were published for nodejs.
>
> CVE-2025-23165[0]:
> | Corrupted pointer in node::fs::ReadFileUtf8(const
> | FunctionCallbackInfo<Value>& args) when args[0] is a string
>
>
> CVE-2025-23166[1]:
> | Improper error handling in async cryptographic operations
> | crashes process
>
>
> CVE-2025-23167[2]:
> | Improper HTTP header block termination in llhttp
>
As I read it, it seemed that this affects only llhttp - which is
distributed by node-undici right now ?
Also https://nodejs.org/en/blog/release/v20.19.2/
mentions
CVE-2024-27982 http: do not allow OBS fold in headers by default
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250515/6f6a26a0/attachment.htm>
More information about the Pkg-javascript-devel
mailing list