INFSA-2025:8468: nodejs:20 security update
Information about definition
Identificator: INFSA-2025:8468
Type: security
Release date: 2025-07-10 21:51:54 UTC
Information about package
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Vulnerabilities description
- CVE-2025-23166
A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits(). This vulnerability can allow a remote attacker to crash the Node.js runtime via untrusted input, triggering an exception in a background thread.
- CVE-2025-23165
A flaw was found in the ReadFileUtf8 internal binding of Node.js. This vulnerability can allow an attacker to cause an application denial of service via repeated file read operations that trigger an unrecoverable memory leak due to a corrupted pointer in the underlying file system binding.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-23165
|
no information | 3.7 | no information |
|
NIST — CVE-2025-23166
|
no information | 7.5 | no information |
|
NIST — CVE-2025-23167
|
no information | 6.5 | no information |
Updated packages