Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Z4__rJ3_SmmtEIsG@netmeister.org>
Date: Tue, 21 Jan 2025 15:12:28 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: Node.js security updates: CVE-2025-23083, CVE-2025-23084,
 CVE-2025-23085

[Forwarding here because I seem to recall that the
NodeJS team doesn't usually post their announcements
to this list; I have no other affiliation with
NodeJS.]

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Tuesday, January 21, 2025 Security Releases

Security releases available

Updates are now available for the 23.x, 22.x, 20.x,
18.x Node.js release lines for the following issues.

This security release includes the following
dependency updates to address public vulnerabilities:

* undici (v7.2.3, v6.21.1, v5.28.5) on v23.x, v22.x, .x, v18.x.


Worker permission bypass via InternalWorker leak in
diagnostics (CVE-2025-23083) - (high)

With the aid of the diagnostics_channel utility, an
event can be hooked into whenever a worker thread is
created. This is not limited only to workers but also
exposes internal workers, where an instance of them
can be fetched, and its constructor can be grabbed and
reinstated for malicious usage.

This vulnerability affects Permission Model users
(--permission) on Node.js v20, v22, and v23.

Impact:

    This vulnerability affects all users in active
release lines: 20.x, 22.x, 23.x

Thank you, to leodog896 for reporting this
vulnerability and thank you RafaelGSS for fixing it.


Path traversal by drive name in Windows environment
(CVE-2025-23084) - (medium)

A vulnerability has been identified in Node.js,
specifically affecting the handling of drive names in
the Windows environment. Certain Node.js functions do
not treat drive names as special on Windows. As a
result, although Node.js assumes a relative path, it
actually refers to the root directory.

On Windows, a path that does not start with the file
separator is treated as relative to the current
directory.

This vulnerability affects Windows users of path.join
API.

Impact:

    This vulnerability affects all users in active
release lines: 18.x, 20.x, 22.x, 23.x

Thank you, to taise for reporting this vulnerability
and thank you tniessen for fixing it.


GOAWAY HTTP/2 frames cause memory leak outside heap
(CVE-2025-23085) - (medium)

A memory leak could occur when a remote peer abruptly
closes the socket without sending a GOAWAY
notification. Additionally, if an invalid header was
detected by nghttp2, causing the connection to be
terminated by the peer, the same leak was triggered.
This flaw could lead to increased memory consumption
and potential denial of service under certain
conditions.

This vulnerability affects HTTP/2 Server users on
Node.js v18.x, v20.x, v22.x and v23.x.

Impact:

    This vulnerability affects all users in active
release lines: 18.x, 20.x, 22.x, 23.x

Thank you, to newtmitch for reporting this
vulnerability and thank you RafaelGSS for fixing it.
Downloads and release details

Node.js v18.20.6 - https://nodejs.org/en/blog/release/v18.20.6/
Node.js v20.18.2 - https://nodejs.org/en/blog/release/v20.18.2/
Node.js v22.13.1 - https://nodejs.org/en/blog/release/v22.13.1/
Node.js v23.6.1 - https://nodejs.org/en/blog/release/v23.6.1/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.