[manjaro-security] [ASA-202505-6] nodejs: denial of service
Andrea Denisse
denisse at archlinux.org
Tue May 20 21:14:45 CEST 2025
Arch Linux Security Advisory ASA-202505-6
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2025-23166
Package : nodejs
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2871
Summary
=======
The package nodejs before version 23.11.1-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 23.11.1-1.
# pacman -Syu "nodejs>=23.11.1-1"
The problem has been fixed upstream in version 23.11.1.
Workaround
==========
None.
Description
===========
Improper error handling in async cryptographic operations crashes
process.
The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing in a
background thread, crashing the Node.js process. Such cryptographic
operations are commonly applied to untrusted inputs. Thus, this
mechanism potentially allows an adversary to remotely crash a Node.js
runtime.
Impact
======
A remote attacker can exploit improper error handling in Node.js’s
asynchronous cryptographic operations to crash the process, leading to
a denial of service.
References
==========
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
https://security.archlinux.org/CVE-2025-23166
More information about the manjaro-security
mailing list