Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Z4__rJ3_SmmtEIsG@netmeister.org>
Date: Tue, 21 Jan 2025 15:12:28 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: Node.js security updates: CVE-2025-23083, CVE-2025-23084,
 CVE-2025-23085

[Forwarding here because I seem to recall that the
NodeJS team doesn't usually post their announcements
to this list; I have no other affiliation with
NodeJS.]

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Tuesday, January 21, 2025 Security Releases

Security releases available

Updates are now available for the 23.x, 22.x, 20.x,
18.x Node.js release lines for the following issues.

This security release includes the following
dependency updates to address public vulnerabilities:

* undici (v7.2.3, v6.21.1, v5.28.5) on v23.x, v22.x, .x, v18.x.


Worker permission bypass via InternalWorker leak in
diagnostics (CVE-2025-23083) - (high)

With the aid of the diagnostics_channel utility, an
event can be hooked into whenever a worker thread is
created. This is not limited only to workers but also
exposes internal workers, where an instance of them
can be fetched, and its constructor can be grabbed and
reinstated for malicious usage.

This vulnerability affects Permission Model users
(--permission) on Node.js v20, v22, and v23.

Impact:

    This vulnerability affects all users in active
release lines: 20.x, 22.x, 23.x

Thank you, to leodog896 for reporting this
vulnerability and thank you RafaelGSS for fixing it.


Path traversal by drive name in Windows environment
(CVE-2025-23084) - (medium)

A vulnerability has been identified in Node.js,
specifically affecting the handling of drive names in
the Windows environment. Certain Node.js functions do
not treat drive names as special on Windows. As a
result, although Node.js assumes a relative path, it
actually refers to the root directory.

On Windows, a path that does not start with the file
separator is treated as relative to the current
directory.

This vulnerability affects Windows users of path.join
API.

Impact:

    This vulnerability affects all users in active
release lines: 18.x, 20.x, 22.x, 23.x

Thank you, to taise for reporting this vulnerability
and thank you tniessen for fixing it.


GOAWAY HTTP/2 frames cause memory leak outside heap
(CVE-2025-23085) - (medium)

A memory leak could occur when a remote peer abruptly
closes the socket without sending a GOAWAY
notification. Additionally, if an invalid header was
detected by nghttp2, causing the connection to be
terminated by the peer, the same leak was triggered.
This flaw could lead to increased memory consumption
and potential denial of service under certain
conditions.

This vulnerability affects HTTP/2 Server users on
Node.js v18.x, v20.x, v22.x and v23.x.

Impact:

    This vulnerability affects all users in active
release lines: 18.x, 20.x, 22.x, 23.x

Thank you, to newtmitch for reporting this
vulnerability and thank you RafaelGSS for fixing it.
Downloads and release details

Node.js v18.20.6 - https://nodejs.org/en/blog/release/v18.20.6/
Node.js v20.18.2 - https://nodejs.org/en/blog/release/v20.18.2/
Node.js v22.13.1 - https://nodejs.org/en/blog/release/v22.13.1/
Node.js v23.6.1 - https://nodejs.org/en/blog/release/v23.6.1/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.