CVE-2025-23085

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23085
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23085.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-23085
Aliases
Downstream
Related
Published
2025-02-07T07:15:15Z
Modified
2025-09-19T15:23:28.678985Z
Summary
[none]
Details

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.

This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

References

Affected packages

Alpine:v3.21 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.13.1-r0

Affected versions

22.*

22.11.0-r0
22.11.0-r1

Alpine:v3.21 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.13.1-r0

Affected versions

22.*

22.11.0-r0
22.11.0-r1

Alpine:v3.22 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.13.1-r0

Affected versions

22.*

22.11.0-r0
22.11.0-r1
22.11.0-r2