Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 948514 (CVE-2025-23083, CVE-2025-23085) - <net-libs/nodejs-{18.20.6,20.18.2,22.13.1}: multiple vulnerabilities
Summary: <net-libs/nodejs-{18.20.6,20.18.2,22.13.1}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2025-23083, CVE-2025-23085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 948622 948629 948630 948631
Blocks:
  Show dependency tree
 
Reported: 2025-01-21 21:15 UTC by Christopher Fore
Modified: 2025-06-12 08:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2025-01-21 21:15:14 UTC 
CVE-2025-23083:

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.


CVE-2025-23085:

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.



The above is fixed in: 18.20.6, 20.18.2, and 22.13.1.
Comment 1 Larry the Git Cow gentoo-dev 2025-01-23 20:43:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f25884d385a6cd133541fc01d14cff9ec333eb3a

commit f25884d385a6cd133541fc01d14cff9ec333eb3a
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2025-01-23 20:31:08 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2025-01-23 20:43:05 +0000

    net-libs/nodejs: add 18.20.6, 20.18.2, 22.13.1
    
    Bug: https://bugs.gentoo.org/948514
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-18.20.6.ebuild | 258 +++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-20.18.2.ebuild | 273 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-22.13.1.ebuild | 297 ++++++++++++++++++++++++++++++++++
 4 files changed, 831 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2025-06-12 08:56:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=848089a10306fdc69ec5660f63680cda68843449

commit 848089a10306fdc69ec5660f63680cda68843449
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2025-06-12 08:55:53 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2025-06-12 08:56:26 +0000

    [ GLSA 202506-08 ] Node.js: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/948514
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202506-08.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)