INFSA-2025:8493: nodejs22 security update
Information about definition
Identificator: INFSA-2025:8493
Type: security
Release date: 2025-07-17 21:41:54 UTC
Information about package
Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.
Vulnerabilities description
- CVE-2025-23166
A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits(). This vulnerability can allow a remote attacker to crash the Node.js runtime via untrusted input, triggering an exception in a background thread.
- CVE-2025-23165
A flaw was found in the ReadFileUtf8 internal binding of Node.js. This vulnerability can allow an attacker to cause an application denial of service via repeated file read operations that trigger an unrecoverable memory leak due to a corrupted pointer in the underlying file system binding.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-23165
|
no information | 3.7 | no information |
|
NIST — CVE-2025-23166
|
no information | 7.5 | no information |
Updated packages