-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: amd64 Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 01f53c9bc421801a0fdf33b97873121bff04e614 513432 libnode-dev_18.20.4+dfsg-1~deb12u2_amd64.deb d9ab678d2f0a2665ca7dbf458d0a95381270e466 883859188 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_amd64.deb 128655242efd46b2ba2031c0bc2cf7a65c1d2eb3 10622596 libnode108_18.20.4+dfsg-1~deb12u2_amd64.deb 3d84267eb7eb0d97435a7808dbc0ff98e26fbe15 68744 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_amd64.deb 401c278729e8768c0c8d95ad8d3b6bfe72433da2 11100 nodejs_18.20.4+dfsg-1~deb12u2_amd64-buildd.buildinfo 389fb3ff856691e07c911f7ab60c36620ade8240 321172 nodejs_18.20.4+dfsg-1~deb12u2_amd64.deb Checksums-Sha256: 8660f5787f78f569705eafde836863e53e9dd9e0e0ad02dd68fe5819ce1dd8a4 513432 libnode-dev_18.20.4+dfsg-1~deb12u2_amd64.deb 08ce6311641e544fd90345961bda55f9fbab154baadb1ad81eaeab2665fc1ed3 883859188 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_amd64.deb 49c281c5fa259fa453a257e9cb0fcfb4385917ee21008ef1acbb5de2a9bb88a6 10622596 libnode108_18.20.4+dfsg-1~deb12u2_amd64.deb 83f44c9e27b46bbd5eb8a08e22fe35ce68ff26dd3ab49aca46f42ad20683a19a 68744 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_amd64.deb ed376272fe91bcbfbe57e96e3fc4c520a80e65567902e5e96b82ab9ac4865a90 11100 nodejs_18.20.4+dfsg-1~deb12u2_amd64-buildd.buildinfo ed733bcac17b24e6a1642f0dc2b71ae95513388197395a7736940df6c3c24cfc 321172 nodejs_18.20.4+dfsg-1~deb12u2_amd64.deb Files: 76d3d9fe6c50e3e58f119e288a2d8b25 513432 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_amd64.deb 5d85e698c6b8d56572ada0ac958e343f 883859188 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_amd64.deb 8f199f13f44d766ddcce7e5ed3131568 10622596 libs optional libnode108_18.20.4+dfsg-1~deb12u2_amd64.deb f8b02e28c50b6f6a0d490843f6646e03 68744 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_amd64.deb b6c74426254e660edd8ef29a683d65b0 11100 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_amd64-buildd.buildinfo 0c096d8967597ddbf1e02dad4765db67 321172 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmoAs9AACgkQTwt/65ON 6zc/HA/8CoIo+LLM5/D/GweL9pSGFMphYjj4oxYcXLsrUqFtqd1AVqP7yy0kRh7k BIGNO7trADC4kK1nw7Czcpk83L4o4b1bi9PUexfobH9TotPNdD6QMTnccT5FRGkY H5LyUPwOR2qTfS/S+ppzseI71+UvJqvRaj0puA9lr2UN0LZ+3w40aLBLpkU3q566 smcJC6JrcnmFgvYPjemOZ30bgIPqDhELb3XCZOQAVH27OBavZpeTX/D20ovV6aV7 SxWa8fprXO+5rRZJaFvFNP4aRyP+PzqAk4tGNSOVtVS25HtN6qp+yT8gTx7Wws2q TH9PZYktGVc6Id7ObVaT7yAtuGZClE6sZHOlivzKcxaJFi59JAHRDgfT6JWbdp9C pKrAOH6IRp1SG8kkHDG+w0qMJ4zeOd5+K4Q2C+FtGVJVXAmZ5xj/mmEFIE926O2q Yd8RRqx0bRYW78mXUU4sMfjmMlpeL5zr6R08YTHkRw7pk6Nd56P6BPVEXJOFLg9j nji4Gk15mi+93a4my4ddUsBepJl/walOhLQUcV+VFLVLYNW2MtFd3z4c121UbjXT 3gxuf78RioLWs8jzLbGaFKIwLdTMb8tP2GdJGkfa14GXoRopjl03zwZhChlfOQo3 hHqM1CnpnmIlnZ3nDZiwSeIMYUNTiCidWgY3DIFnwkzmggBspm4= =KzTz -----END PGP SIGNATURE-----