Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 948514 (CVE-2025-23083, CVE-2025-23085) - <net-libs/nodejs-{18.20.6,20.18.2,22.13.1}: multiple vulnerabilities
Summary: <net-libs/nodejs-{18.20.6,20.18.2,22.13.1}: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2025-23083, CVE-2025-23085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: A2 [stable]
Keywords:
Depends on: 948630 948631 948622 948629
Blocks:
  Show dependency tree
 
Reported: 2025-01-21 21:15 UTC by Christopher Fore
Modified: 2025-01-23 22:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2025-01-21 21:15:14 UTC
CVE-2025-23083:

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.


CVE-2025-23085:

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.



The above is fixed in: 18.20.6, 20.18.2, and 22.13.1.
Comment 1 Larry the Git Cow gentoo-dev 2025-01-23 20:43:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25884d385a6cd133541fc01d14cff9ec333eb3a

commit f25884d385a6cd133541fc01d14cff9ec333eb3a
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2025-01-23 20:31:08 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2025-01-23 20:43:05 +0000

    net-libs/nodejs: add 18.20.6, 20.18.2, 22.13.1
    
    Bug: https://bugs.gentoo.org/948514
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-18.20.6.ebuild | 258 +++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-20.18.2.ebuild | 273 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-22.13.1.ebuild | 297 ++++++++++++++++++++++++++++++++++
 4 files changed, 831 insertions(+)