Forum: Too Lazy BBS

Who's Online

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	28
Nodes:	6 (0 / 6)
Uptime:	50:55:00
Calls:	422
Files:	1,025
Messages:	90,548

Bug#1105832: nodejs: CVE-2025-23165 CVE-2025-23166 CVE-2025-23167

From Salvatore Bonaccorso@21:1/5 to All on Thu May 15 22:00:01 2025

Source: nodejs
Version: 20.19.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for nodejs.

CVE-2025-23165[0]:
| Corrupted pointer in node::fs::ReadFileUtf8(const
| FunctionCallbackInfo<Value>& args) when args[0] is a string

CVE-2025-23166[1]:
| Improper error handling in async cryptographic operations
| crashes process

CVE-2025-23167[2]:
| Improper HTTP header block termination in llhttp

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-23165
https://www.cve.org/CVERecord?id=CVE-2025-23165
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
[1] https://security-tracker.debian.org/tracker/CVE-2025-23166
https://www.cve.org/CVERecord?id=CVE-2025-23166
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
[2] https://security-tracker.debian.org/tracker/CVE-2025-23167
https://www.cve.org/CVERecord?id=CVE-2025-23167
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Salvatore Bonaccorso@21:1/5 to All on Fri May 16 07:20:01 2025

Hi JΘrΘmy,

On Thu, May 15, 2025 at 10:50:34PM +0200, JΘrΘmy Lal wrote:

Le jeu. 15 mai 2025 α 21:51, Salvatore Bonaccorso <carnil@debian.org> a
Θcrit :

Source: nodejs
Version: 20.19.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team < team@security.debian.org>

Hi,

The following vulnerabilities were published for nodejs.

CVE-2025-23165[0]:
| Corrupted pointer in node::fs::ReadFileUtf8(const
| FunctionCallbackInfo<Value>& args) when args[0] is a string

CVE-2025-23166[1]:
| Improper error handling in async cryptographic operations
| crashes process

CVE-2025-23167[2]:
| Improper HTTP header block termination in llhttp

As I read it, it seemed that this affects only llhttp - which is
distributed by node-undici right now ?

Also https://nodejs.org/en/blog/release/v20.19.2/
mentions
CVE-2024-27982 http: do not allow OBS fold in headers by default

Thanks, will have look on what we need to change for the tracking
information on security-tracker!

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Bug#1105832: nodejs: CVE-2025-23165 CVE-2025-23166 CVE-2025-23167