[manjaro-security] [ASA-202505-8] nodejs-lts-iron: multiple issues

Andrea Denisse denisse at archlinux.org
Tue May 20 21:15:58 CEST 2025 

Arch Linux Security Advisory ASA-202505-8
=========================================

Severity: High
Date    : 2025-05-18
CVE-ID  : CVE-2025-23165 CVE-2025-23166 CVE-2025-23167
Package : nodejs-lts-iron
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2873

Summary
=======

The package nodejs-lts-iron before version 20.19.2-1 is vulnerable to
multiple issues including denial of service and access restriction
bypass.

Resolution
==========

Upgrade to 20.19.2-1.

# pacman -Syu "nodejs-lts-iron>=20.19.2-1"

The problems have been fixed upstream in version 20.19.2.

Workaround
==========

None.

Description
===========

- CVE-2025-23165 (denial of service)

Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo<Value>& args) when args[0] is a string.

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a
corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated
but subsequently overwritten when the file descriptor is set. This
results in an unrecoverable memory leak on every call. Repeated use can
cause unbounded memory growth, leading to a denial of service.

- CVE-2025-23166 (denial of service)

Improper error handling in async cryptographic operations crashes
process.

The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing in a
background thread, crashing the Node.js process. Such cryptographic
operations are commonly applied to untrusted inputs. Thus, this
mechanism potentially allows an adversary to remotely crash a Node.js
runtime.

- CVE-2025-23167 (access restriction bypass)

A flaw in Node.js 20's HTTP parser allows improper termination of
HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This
inconsistency enables request smuggling, allowing attackers to bypass
proxy-based access controls and submit unauthorized requests.

The issue was resolved by upgrading llhttp to version 9, which enforces
correct header termination.

Impact
======

A remote attacker can exploit multiple vulnerabilities in Node.js to
cause a denial of service or bypass access restrictions. Improper error
handling and memory management flaws may crash the process or lead to
unbounded memory usage, while an HTTP parsing inconsistency in Node.js
20.x can enable request smuggling, allowing attackers to evade proxy-
based access controls and submit unauthorized requests.

References
==========

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
https://security.archlinux.org/CVE-2025-23165
https://security.archlinux.org/CVE-2025-23166
https://security.archlinux.org/CVE-2025-23167

More information about the manjaro-security mailing list