Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 948514 (CVE-2025-23083, CVE-2025-23085)

Summary: <net-libs/nodejs-{18.20.6,20.18.2,22.13.1}: multiple vulnerabilities
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Whiteboard: A2 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 948630, 948622, 948629, 948631    
Bug Blocks:    

Description Christopher Fore 2025-01-21 21:15:14 UTC 
CVE-2025-23083:

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.


CVE-2025-23085:

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.



The above is fixed in: 18.20.6, 20.18.2, and 22.13.1.
Comment 1 Larry the Git Cow gentoo-dev 2025-01-23 20:43:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25884d385a6cd133541fc01d14cff9ec333eb3a

commit f25884d385a6cd133541fc01d14cff9ec333eb3a
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2025-01-23 20:31:08 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2025-01-23 20:43:05 +0000

    net-libs/nodejs: add 18.20.6, 20.18.2, 22.13.1
    
    Bug: https://bugs.gentoo.org/948514
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-18.20.6.ebuild | 258 +++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-20.18.2.ebuild | 273 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-22.13.1.ebuild | 297 ++++++++++++++++++++++++++++++++++
 4 files changed, 831 insertions(+)