[manjaro-security] [ASA-202505-7] nodejs-lts-jod: denial of service

Andrea Denisse denisse at archlinux.org
Tue May 20 21:15:17 CEST 2025 

Arch Linux Security Advisory ASA-202505-7
=========================================

Severity: High
Date    : 2025-05-18
CVE-ID  : CVE-2025-23165 CVE-2025-23166
Package : nodejs-lts-jod
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2872

Summary
=======

The package nodejs-lts-jod before version 22.15.1-1 is vulnerable to
denial of service.

Resolution
==========

Upgrade to 22.15.1-1.

# pacman -Syu "nodejs-lts-jod>=22.15.1-1"

The problems have been fixed upstream in version 22.15.1.

Workaround
==========

None.

Description
===========

- CVE-2025-23165 (denial of service)

Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo<Value>& args) when args[0] is a string.

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a
corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated
but subsequently overwritten when the file descriptor is set. This
results in an unrecoverable memory leak on every call. Repeated use can
cause unbounded memory growth, leading to a denial of service.

- CVE-2025-23166 (denial of service)

Improper error handling in async cryptographic operations crashes
process.

The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing in a
background thread, crashing the Node.js process. Such cryptographic
operations are commonly applied to untrusted inputs. Thus, this
mechanism potentially allows an adversary to remotely crash a Node.js
runtime.

Impact
======

A remote attacker can exploit improper error handling and memory
management flaws in Node.js to crash the process or exhaust system
resources, leading to a denial of service. Specifically, malformed
input may trigger a crash in asynchronous cryptographic operations,
while repeated use of file system APIs with crafted input may cause
unbounded memory growth.

References
==========

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
https://security.archlinux.org/CVE-2025-23165
https://security.archlinux.org/CVE-2025-23166

More information about the manjaro-security mailing list