-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: i386 Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: i386 Build Daemon (x86-grnet-01) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 1598008766fe48c412bfd866987cb3f04bc1ea62 513460 libnode-dev_18.20.4+dfsg-1~deb12u2_i386.deb a41e311f8409772d0f25b0a5bd36bb3f63db6eeb 34221640 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_i386.deb 44909d0cbe3a271dd231278f18a64d318621f953 10672916 libnode108_18.20.4+dfsg-1~deb12u2_i386.deb 49feb59bf30557b25dce341258e3eac6d51c860a 2964 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_i386.deb 1a402c214749db0e6f0438782005bc0dd3a5ddd8 11072 nodejs_18.20.4+dfsg-1~deb12u2_i386-buildd.buildinfo 6912e644c8a14eb32b1ae210d0a749142f30e47c 321228 nodejs_18.20.4+dfsg-1~deb12u2_i386.deb Checksums-Sha256: 3c60cb18bf5d119e3ad274ed7185717b74b814d99ddfbdf012be62e5c2eadcc3 513460 libnode-dev_18.20.4+dfsg-1~deb12u2_i386.deb 09413f1e5d121aeda84681e5fcd057ffc016b194b0cbf8c6890fdad7e7ec34da 34221640 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_i386.deb 8e9b06171eebf6f01549d59d82addb871340d0492daf4ae96a0e4473a581efd7 10672916 libnode108_18.20.4+dfsg-1~deb12u2_i386.deb d538651ae7df0523fba080bd7929f120e51ba58e49945e686f5db956ccf384da 2964 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_i386.deb 6090e1f034371f5c57dbde0097c73c61f99b983a85fa4dfbfc016cbede650f51 11072 nodejs_18.20.4+dfsg-1~deb12u2_i386-buildd.buildinfo f7b6dc1fd554ad9c7d447ee311893f1dc1c0abdcf6e7637eedd393783bf452d8 321228 nodejs_18.20.4+dfsg-1~deb12u2_i386.deb Files: 5d0edfad8af3e9b1ce48ac07d08be371 513460 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_i386.deb 47942c84bc171fbc8b676cebf2734c64 34221640 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_i386.deb 31aa40939a874cd118b61c6727dccaba 10672916 libs optional libnode108_18.20.4+dfsg-1~deb12u2_i386.deb 62501e8e740894a5dea1b11d2c63e664 2964 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_i386.deb 035f8aae1e481efecd9cf8865c162aa1 11072 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_i386-buildd.buildinfo a369fed4386c377136cb8ea3abe3f7b4 321228 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEPAUaMA0H0rOy6qBWf2INRiCdaWIFAmoA2E4ACgkQf2INRiCd aWJwtw/+KNOXadxzvyHf/yVV6hQ/Kp7DnRTRzfbgRzQNAna2RecLSHDuK70fdjep ZWSUCBYvDN78WL4XgktIRCQS9lJT3qcJjwwofqLYYL1SeLOPAsMdUGTZFs+hVbgA XKECawEJzURzihhMIAHxM0VOWjHxkRPz4cZsmUoYfSn/cMfGHOjk0vOuRi3lngx3 w1AxhvntOxrN+RxnC20VOmt6h6sNEiZU5uS2niz7BAfTWbHAymJxBfDsPXWkf4h6 K7hEXdOo5flHBVmlWE6Z4FQyGf3H4DBLp9i5ZTBxj6BHkl+6GOaiN5N2ZcTOfJjI JYvyQAXH3kZqp+Bt14p1JVZ0FRC0svcN/H1viAdSoLFogmtzKC57LApSuPjgY7zX 6h7Qckjg33eyaJ3Kv3PHuOJ4dWa/QQZEUrZUIDdlIEc3+enJzB4AQLr+9KkoopKi l4ycvFMi7BWBC5D+EF9zxkE1wHPYlKrpU9bcr7kIxxNQPaqA6EKFOVz8nwRxl+0u tNB6eS6Epjwhk5R+WqMMI5vWCVIq6gy2jKqxYdm7nOKUbrGHA1HYjcrpppmNQhNM x/SQP5C7KBJPBMr7Ucx+R8KlAN6Fpe73S/eluhVhxlUzRuFO5iedQauoTUBtnOAH Pi2JhfO+ZBtwaOZCAmvoEfLB1jx7uJ6vH+8L7tRehw6RsVAHnc0= =+pQ+ -----END PGP SIGNATURE-----