-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Architecture: source Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Bastien Roucariès Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: ece51c59189c96c9a103c057926a777750b597a1 4334 nodejs_18.20.4+dfsg-1~deb12u2.dsc 4e580579ef4a73cf6ab060c74433501f292c18d3 272924 nodejs_18.20.4+dfsg.orig-ada.tar.xz 4cad22f4545483163b468271d06f425b15f1dcf0 267236 nodejs_18.20.4+dfsg.orig-types-node.tar.xz a0c8b9acf0982e9010edb24542aa83d55e65fbde 29390728 nodejs_18.20.4+dfsg.orig.tar.xz ca0d9b1dfb6465246eead185537072466a17019a 189708 nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz 073a5d24bdb11b1a8b9f40cb5aa9bfa6c879827e 9612 nodejs_18.20.4+dfsg-1~deb12u2_source.buildinfo Checksums-Sha256: 11573b64900df22b3e009a0fbe6bd2746e11946cd61a64aa61284cbc6ea1eee4 4334 nodejs_18.20.4+dfsg-1~deb12u2.dsc b58fd8b7ef61255b66d42b66e32e74ccdde61c4e02facd6b5a566618e32e993e 272924 nodejs_18.20.4+dfsg.orig-ada.tar.xz 5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 nodejs_18.20.4+dfsg.orig-types-node.tar.xz 6ce58062c71eae37d9c5ac31eeaeff9c2d48561d21c2849179d056c9c1bd9ebc 29390728 nodejs_18.20.4+dfsg.orig.tar.xz 9740da86ce7f8c554b7e71308df9903834c2aaadca01c76ac49d0b895f2afa52 189708 nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz ccb9340c1bb3496b1d0626f98dae1052bfbada77488a4bd7af3be7384b438589 9612 nodejs_18.20.4+dfsg-1~deb12u2_source.buildinfo Files: 773aaceaed6a7e8de5716a4f94a0c0ff 4334 javascript optional nodejs_18.20.4+dfsg-1~deb12u2.dsc 774dbd4a3931a17737b3c27a7a67d587 272924 javascript optional nodejs_18.20.4+dfsg.orig-ada.tar.xz 8cabd2aa436c05f698a17368826a8645 267236 javascript optional nodejs_18.20.4+dfsg.orig-types-node.tar.xz 157a1ca8a7c3ca2465402e0326511581 29390728 javascript optional nodejs_18.20.4+dfsg.orig.tar.xz 5735c474d564398ac94ceb28579e3af6 189708 javascript optional nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz 6564ea3fabb24265dc9ca795dc2f9d0b 9612 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoAovQACgkQADoaLapB CF8FCw//TYJ05ZUdCGOznDzI0byoaskDMjrq8hoQBqSmH+k8URUpBAzjoRIEv1Ix dFjBnKs0z4Im1gSY9ye6bkVWV3vcYl8jzBadReYp8aLoX9vO1FKSF+0q0q+Gswdt E9G3zA0gATEmS1esUespxkY+O1vmTLIDcGvuV4UQAYBn9t5fmAtDnlB2jAFpw0Xd M8FC6FLTsvQ1Ab3SmdBEs6wMNYJd16fUDm9zL0j7FaSIpj0cqTzlGE+bNwMmLwEa 7b+pwJxuAONEi9eUTPpkbIA6WaqFTo70Ma4t1joy/By0/dy6SGYHGg56DKP0Dbfg y+fAwnsxY1OfCOM14SZQA0JIbg6XQdT00JxynvZ58rA4ujYUFIadCcFKOYMc1qZ9 hZ7k+n4OfU4M6srFTFE1MuOpJZ1rhe1nVwC8C9EN53VcfWVfvST+wzD64n9lv88W ZxxslVvLQhIZenK1feXUBz0VSn8jw/+fUXcHXzCbztoabnBK+GWBBfTIC/T8jNHq DGM/Bfq14/T6o/cfxrJ/6g27eeEB2Uz+JDnZc+OXy/jE8DV3ysCtPAg2AgUSt8di I7dVA2eXjGmHbl/1Evj+QRYYaeRIL7LCnC7OXoBZEhDW1R+mxeJiozcAbKLenoY6 Av/UIfD+lgeLbcApnQy9L33DRW3RM0yLIhCbFfWocmntd4u2gco= =i6O1 -----END PGP SIGNATURE-----