OESA-2025-1534

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1534

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2025-1534.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2025-1534

Upstream

CVE-2025-23165

CVE-2025-23166

Published

2025-05-23T13:59:40Z

Modified

2025-08-12T05:49:20.216124Z

Summary

nodejs security update

Details

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Impact: * This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.(CVE-2025-23165)

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.(CVE-2025-23166)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:24.03-LTS-SP1 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/openEuler/nodejs&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.18.2-3.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "nodejs-20.18.2-3.oe2403sp1.aarch64.rpm",
        "nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64.rpm",
        "nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64.rpm",
        "nodejs-devel-20.18.2-3.oe2403sp1.aarch64.rpm",
        "nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64.rpm",
        "nodejs-libs-20.18.2-3.oe2403sp1.aarch64.rpm",
        "npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64.rpm",
        "v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64.rpm"
    ],
    "src": [
        "nodejs-20.18.2-3.oe2403sp1.src.rpm"
    ],
    "noarch": [
        "nodejs-docs-20.18.2-3.oe2403sp1.noarch.rpm"
    ],
    "x86_64": [
        "nodejs-20.18.2-3.oe2403sp1.x86_64.rpm",
        "nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64.rpm",
        "nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64.rpm",
        "nodejs-devel-20.18.2-3.oe2403sp1.x86_64.rpm",
        "nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64.rpm",
        "nodejs-libs-20.18.2-3.oe2403sp1.x86_64.rpm",
        "npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64.rpm",
        "v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64.rpm"
    ]
}