CVE-2025-23083: With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. The above is fixed in: 18.20.6, 20.18.2, and 22.13.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25884d385a6cd133541fc01d14cff9ec333eb3a commit f25884d385a6cd133541fc01d14cff9ec333eb3a Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2025-01-23 20:31:08 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2025-01-23 20:43:05 +0000 net-libs/nodejs: add 18.20.6, 20.18.2, 22.13.1 Bug: https://bugs.gentoo.org/948514 Signed-off-by: William Hubbs <williamh@gentoo.org> net-libs/nodejs/Manifest | 3 + net-libs/nodejs/nodejs-18.20.6.ebuild | 258 +++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-20.18.2.ebuild | 273 +++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-22.13.1.ebuild | 297 ++++++++++++++++++++++++++++++++++ 4 files changed, 831 insertions(+)