DEBIAN-CVE-2025-59465

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-59465
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59465.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-59465
Upstream
Published
2026-01-20T21:16:04.010Z
Modified
2026-01-21T11:19:06.479037Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) })

References

Affected packages

Debian:11 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

12.*
12.21.0~dfsg-5
12.22.4~dfsg-1
12.22.5~dfsg-1
12.22.5~dfsg-2~11u1
12.22.5~dfsg-2
12.22.5~dfsg-3
12.22.5~dfsg-4
12.22.5~dfsg-5
12.22.5~dfsg-6
12.22.5~dfsg-7
12.22.7~dfsg-1
12.22.7~dfsg-2
12.22.9~dfsg-1
12.22.10~dfsg-1
12.22.10~dfsg-2
12.22.12~dfsg-1~deb11u1
12.22.12~dfsg-1~deb11u2
12.22.12~dfsg-1~deb11u3
12.22.12~dfsg-1~deb11u4
12.22.12~dfsg-1~deb11u5
12.22.12~dfsg-1~deb11u6
12.22.12~dfsg-1~deb11u7
14.*
14.4.0~dfsg-1
14.4.0~dfsg-2
14.7.0~dfsg-1
14.8.0~dfsg-1
14.9.0~dfsg-1
14.11.0~dfsg-1
14.11.0~dfsg-2
14.12.0~dfsg-1
14.13.0~dfsg-1
14.16.0~dfsg-1
14.16.1~dfsg-1
14.17.0~dfsg-1
14.17.0~dfsg-2
16.*
16.11.1~dfsg-1
16.13.0~dfsg-1
16.13.0~dfsg-2
16.13.0~dfsg-3
16.13.0~dfsg-4
16.13.0~dfsg-5
16.13.2~dfsg-1
16.13.2~dfsg-2
16.13.2+really14.19.0~dfsg-1
16.13.2+really14.19.0~dfsg-2
16.13.2+really14.19.1~dfsg-1
16.13.2+really14.19.1~dfsg-2
16.13.2+really14.19.1~dfsg-3
16.13.2+really14.19.1~dfsg-4
16.13.2+really14.19.1~dfsg-5
16.13.2+really14.19.1~dfsg-6
16.14.2+dfsg-1
16.14.2+dfsg-2
16.14.2+dfsg-3
16.14.2+dfsg-4
16.14.2+dfsg-5
16.14.2+dfsg1-1
16.15.0+dfsg-1
16.15.1+dfsg-1
18.*
18.3.0+dfsg-1
18.4.0+dfsg-1
18.4.0+dfsg-2
18.6.0+dfsg-1
18.6.0+dfsg-2
18.6.0+dfsg-3
18.6.0+dfsg-4
18.6.0+dfsg-5
18.7.0+dfsg-1
18.7.0+dfsg-4
18.7.0+dfsg-5
18.8.0+dfsg-1
18.10.0+dfsg-1
18.10.0+dfsg-2
18.10.0+dfsg-3
18.10.0+dfsg-4
18.10.0+dfsg-5
18.10.0+dfsg-6
18.11.0+dfsg-1
18.11.0+dfsg-2
18.11.0+dfsg-3
18.11.0+dfsg-4
18.12.0+dfsg-1
18.12.1+dfsg-1
18.12.1+dfsg-2
18.12.1+dfsg-2+0.riscv64.1
18.13.0+dfsg-1
18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4
18.20.4+dfsg-1~deb12u1
20.*
20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1
20.19.0+dfsg-1
20.19.0+dfsg-2
20.19.0+dfsg1-1
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6
22.22.0+dfsg+~cs22.19.6-1
24.*
24.11.1+dfsg+~cs24.10.1-1
24.11.1+dfsg+~cs24.10.1-2
24.12.0+dfsg+~cs24.10.4-1
24.13.0+dfsg+~cs24.10.7-1
24.13.0+dfsg+~cs24.10.7-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59465.json"

Debian:12 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

18.*
18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4
18.20.4+dfsg-1~deb12u1
20.*
20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1
20.19.0+dfsg-1
20.19.0+dfsg-2
20.19.0+dfsg1-1
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6
22.22.0+dfsg+~cs22.19.6-1
24.*
24.11.1+dfsg+~cs24.10.1-1
24.11.1+dfsg+~cs24.10.1-2
24.12.0+dfsg+~cs24.10.4-1
24.13.0+dfsg+~cs24.10.7-1
24.13.0+dfsg+~cs24.10.7-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59465.json"

Debian:13 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6
22.22.0+dfsg+~cs22.19.6-1
24.*
24.11.1+dfsg+~cs24.10.1-1
24.11.1+dfsg+~cs24.10.1-2
24.12.0+dfsg+~cs24.10.4-1
24.13.0+dfsg+~cs24.10.7-1
24.13.0+dfsg+~cs24.10.7-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59465.json"

Debian:14 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.22.0+dfsg+~cs22.19.6-1

Affected versions

20.*
20.19.2+dfsg-1
20.19.4+dfsg-1
20.19.5+dfsg+~cs20.19.12-1
20.19.5+dfsg+~cs20.19.12-2
20.19.5+dfsg+~cs20.19.12-3
20.19.5+dfsg+~cs20.19.12-4
20.19.5+dfsg+~cs20.19.24-1
22.*
22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1
22.18.0+dfsg-1
22.18.0+dfsg+~cs22.17.2-1
22.18.0+dfsg+~cs22.17.2-2
22.19.0+dfsg+~cs22.18.0-1
22.21.1+dfsg+~cs22.19.0-1
22.21.1+dfsg+~cs22.19.0-2
22.21.1+dfsg+~cs22.19.0-3
22.21.1+dfsg+~cs22.19.0-4
22.21.1+dfsg+~cs22.19.0-5
22.21.1+dfsg+~cs22.19.0-6

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59465.json"