1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1105832: nodejs: CVE-2025-23165 CVE-2025-23166 CVE-2025-23167

    From =?UTF-8?B?SsOpcsOpbXkgTGFs?=@21:1/5 to All on Thu May 15 23:00:02 2025
    Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso <carnil@debian.org> a
    écrit :

    Source: nodejs
    Version: 20.19.0+dfsg1-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team < team@security.debian.org>

    Hi,

    The following vulnerabilities were published for nodejs.

    CVE-2025-23165[0]:
    | Corrupted pointer in node::fs::ReadFileUtf8(const
    | FunctionCallbackInfo<Value>& args) when args[0] is a string


    CVE-2025-23166[1]:
    | Improper error handling in async cryptographic operations
    | crashes process


    CVE-2025-23167[2]:
    | Improper HTTP header block termination in llhttp


    As I read it, it seemed that this affects only llhttp - which is
    distributed by node-undici right now ?

    Also https://nodejs.org/en/blog/release/v20.19.2/
    mentions
    CVE-2024-27982 http: do not allow OBS fold in headers by default

    Jérémy

    <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso &lt;<a href="mailto:carnil@debian.org">carnil@debian.org</a>&gt; a écrit :<
    </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Source: nodejs<br>
    Version: 20.19.0+dfsg1-1<br>
    Severity: grave<br>
    Tags: security upstream<br>
    X-Debbugs-Cc: <a href="mailto:carnil@debian.org" target="_blank">carnil@debian.org</a>, Debian Security Team &lt;<a href="mailto:team@security.debian.org" target="_blank">team@security.debian.org</a>&gt;<br>

    Hi,<br>

    The following vulnerabilities were published for nodejs.<br>

    CVE-2025-23165[0]:<br>
    | Corrupted pointer in node::fs::ReadFileUtf8(const<br>
    | FunctionCallbackInfo&lt;Value&gt;&amp; args) when args[0] is a string<br>


    CVE-2025-23166[1]:<br>
    | Improper error handling in async cryptographic operations<br>
    | crashes process<br>


    CVE-2025-23167[2]:<br>
    | Improper HTTP header block termination in llhttp<br></blockquote><div><br></div><div>As I read it, it seemed that this affects only llhttp - which is distributed by node-undici right now ?</div><div><br></div><div>Also <a href="https://nodejs.org/en/
    blog/release/v20.19.2/">https://nodejs.org/en/blog/release/v20.19.2/</a></div><div>mentions </div><div>CVE-2024-27982 http: do not allow OBS fold in headers by default</div><div><br></div><div>Jérémy</div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to All on Fri May 16 08:30:02 2025
    Control: retitle -1 CVE-2025-23165 CVE-2025-23166

    On Thu, May 15, 2025 at 10:50:34PM +0200, Jérémy Lal wrote:
    Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso <carnil@debian.org> a
    écrit :

    Source: nodejs
    Version: 20.19.0+dfsg1-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team < team@security.debian.org>

    Hi,

    The following vulnerabilities were published for nodejs.

    CVE-2025-23165[0]:
    | Corrupted pointer in node::fs::ReadFileUtf8(const
    | FunctionCallbackInfo<Value>& args) when args[0] is a string


    CVE-2025-23166[1]:
    | Improper error handling in async cryptographic operations
    | crashes process


    CVE-2025-23167[2]:
    | Improper HTTP header block termination in llhttp


    As I read it, it seemed that this affects only llhttp - which is
    distributed by node-undici right now ?

    Let's track this bug only for CVE-2025-23165 CVE-2025-23166, adjusting
    the metadata. I have not checked node-undiici.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)