-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 06 Apr 2026 16:18:52 +0200
Source: nodejs
Binary: nodejs-doc
Architecture: all
Version: 18.20.4+dfsg-1~deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 nodejs-doc - API documentation for Node.js, the javascript platform
Closes: 1094134 1105832
Changes:
 nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium
 .
   * Team upload
   * Fix CVE-2025-23085:
     A memory leak could occur when a remote peer abruptly closes
     the socket without sending a GOAWAY notification. Additionally,
     if an invalid header was detected by nghttp2, causing the
     connection to be terminated by the peer, the same leak was
     triggered. This flaw could lead to increased memory consumption
     and potential denial of service under certain conditions
     (Closes: #1094134)
   * Fix CVE-2025-23166:
     The C++ method SignTraits::DeriveBits() may incorrectly call
     ThrowException() based on user-supplied inputs when executing
     in a background thread, crashing the Node.js process.
     Such cryptographic operations are commonly applied to
     untrusted inputs. Thus, this mechanism potentially allows
     an adversary to remotely crash a Node.js runtime.
     (Closes: #1105832)
   * Fix CVE-2025-55131:
     A flaw in Node.js's buffer allocation logic can expose uninitialized
     memory when allocations are interrupted, when using the `vm` module
     with the timeout option. Under specific timing conditions, buffers
     allocated with `Buffer.alloc` and other `TypedArray` instances like
     `Uint8Array` may contain leftover data from previous operations,
     allowing in-process secrets like tokens or passwords to leak or
     causing data corruption. While exploitation typically requires precise
     timing or in-process code execution, it can become remotely
     exploitable when untrusted input influences workload and timeouts,
     leading to potential confidentiality and integrity impact.
   * Fix CVE-2025-59465:
     A malformed `HTTP/2 HEADERS` frame with oversized, invalid
     `HPACK` data can cause Node.js to crash by triggering an
     unhandled `TLSSocket` error `ECONNRESET`. Instead of safely
     closing the connection, the process crashes, enabling a remote
     denial of service. This primarily affects applications that
     do not attach explicit error handlers to secure sockets,
     for example: ``` server.on('secureConnection', socket =>
     { socket.on('error', err => { console.log(err) }) }) ```
   * Fix CVE-2025-59466:
     async_hooks would cause stack overflow
     exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
     instead of being catchable.
     When a stack overflow exception occurs during async_hooks callbacks
     (which use TryCatchScope::kFatal), detect the specific "Maximum call
     stack size exceeded" RangeError and re-throw it instead of immediately
     calling FatalException. This allows user code to catch the exception
     with try-catch blocks instead of requiring uncaughtException handlers.
   * Fix CVE-2025-23166:
     A flaw in Node.js TLS error handling allows remote attackers to crash
     or exhaust resources of a TLS server when `pskCallback` or
     `ALPNCallback` are in use. Synchronous exceptions thrown during these
     callbacks bypass standard TLS error handling paths (tlsClientError and
     error), causing either immediate process termination or silent file
     descriptor leaks that eventually lead to denial of service. Because
     these callbacks process attacker-controlled input during the TLS
     handshake, a remote client can repeatedly trigger the issue. This
     vulnerability affects TLS servers using PSK or ALPN callbacks across.
   * Fix CVE-2026-21710:
     A flaw in Node.js HTTP request handling causes an uncaught `TypeError`
     when a request is received with a header named `__proto__` and the
     application accesses `req.headersDistinct`. When this occurs,
     `dest["__proto__"]` resolves to `Object.prototype` rather than
     `undefined`, causing `.push()` to be called on a non-array. This
     exception is thrown synchronously inside a property getter and cannot
     be intercepted by `error` event listeners, meaning it cannot be
     handled without wrapping every `req.headersDistinct` access in a
     `try/catch`
   * Fix  CVE-2026-21713:
     A flaw in Node.js HMAC verification uses a non-constant-time
     comparison when validating user-provided signatures, potentially
     leaking timing information proportional to the number of matching
     bytes. Under certain threat models where high-resolution timing
     measurements are possible, this behavior could be exploited as a
     timing oracle to infer HMAC values. Node.js already provides
     timing-safe comparison primitives used elsewhere in the codebase,
     indicating this is an oversight rather than an intentional design
     decision.
   * Fix CVE-2026-21714:
     A memory leak occurs in Node.js HTTP/2 servers when a client sends
     WINDOW_UPDATE frames on stream 0 (connection-level) that cause the
     flow control window to exceed the maximum value of 2³¹-1. The server
     correctly sends a GOAWAY frame, but the Http2Session object is never
     cleaned up.
Checksums-Sha1:
 9e9fac5d816690c4791301b0740438b2a536400d 3580900 nodejs-doc_18.20.4+dfsg-1~deb12u2_all.deb
 97dca150e5f63ef9bb1e7b9fc715be405ca91870 10093 nodejs_18.20.4+dfsg-1~deb12u2_all-buildd.buildinfo
Checksums-Sha256:
 9f674d3536be94923bb8720c48ec17bc92b8de62f2954c3172b59a3ada1de65f 3580900 nodejs-doc_18.20.4+dfsg-1~deb12u2_all.deb
 cfcdb78e2384420743afc2bb9f572185c40b336ab67ad81c3006ca1ea9e793b9 10093 nodejs_18.20.4+dfsg-1~deb12u2_all-buildd.buildinfo
Files:
 58e5f04bb7c9c317b02818a504f3acf1 3580900 doc optional nodejs-doc_18.20.4+dfsg-1~deb12u2_all.deb
 73643a32b4134cab42e011ad05dee167 10093 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmoAqIUACgkQN8Ugyu9d
QiSJ3A//fD2IcAL61bIyFbsdyk6kZfVzyTxAKGw1cMMWmwVBP+SaerX14/ugBXC/
Q+zHMgkyjL9ZMIy7jIXCGeGkNYdv6GTXj0AX9HCmjJ+jAem8D869aiTcghZMH/+t
RVhLuACFeit9ChUD3vevQiqA+FB6Ky4dOzdh4+KmjV0hhxqitmtSh2yyKTBdwGEO
u1Vbf1DM0IorsbPlzXlVaO4jLf9XycSUVq3wugyxHXCgmm/8juuADaMQoSgMjOl6
Ap/n3rrDSq7myhhxN8qo8/BywGxUc+ZWsGfrME1A4QAKTfzddhPUDpzt9eQ+Aet9
lCPBIMqOEISmBy4WUoq8cZ83j9bVIgLM9XBHU7BCww7k1DHA71MVzxQ/oZYeB3A7
pBgzMOLsKgiLhz8vPA6LmwEWIwISZrB/yDDPWuJb9jhp33eDXjvYmWEVFaW0QJMh
Fic/REEhRv0WNVXlEU0kzJNIU3hASMI1rUrI1ullsDBoklWO7Bq4nfJMesZ2QJV9
Q4HLRYf71SvdKzck/JlSuVvksOETONldV2hnUkf6ElhfXAmohk4tUiS8pEzLTqv7
idyDc1cmI3jo4vZftGSOJ0ho39d3jJeVfwCvBEFj+TFdI74qlBGKnF0AjqdSNVAl
D2ytOldERUlbl3Caaa4wTHh/0H6EDV6KOk4++HkPIrekJ5LaW9c=
=sEEw
-----END PGP SIGNATURE-----