-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: arm64 Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: arm64 Build Daemon (arm-ubc-02) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 8e704a1882d17b651fff23105e45249106fccfcf 513508 libnode-dev_18.20.4+dfsg-1~deb12u2_arm64.deb e145856c18011c6338f1e8640551ba7a317c89ee 883056432 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_arm64.deb 7bc1243971a6d924d1c9a5a5905e93c1f41b63b2 9598044 libnode108_18.20.4+dfsg-1~deb12u2_arm64.deb dc34b758fcd5afad29b6f30aae984e312fda7cc7 68852 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_arm64.deb f1c2007deee0d7034301ff594b468d62ab376338 11112 nodejs_18.20.4+dfsg-1~deb12u2_arm64-buildd.buildinfo a609289d11368ee1c28dc8065619b8d1bdccea6f 321276 nodejs_18.20.4+dfsg-1~deb12u2_arm64.deb Checksums-Sha256: 0e7a5bc69b7a63d38bf9e93ef80e4117fde9b4d670b72cedfd09802d81d5eff6 513508 libnode-dev_18.20.4+dfsg-1~deb12u2_arm64.deb 2826a7a30b98435378dc5e215ddd711fd1ff51215388ad770fb8437326cc19b2 883056432 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_arm64.deb 9bdbcad4d7638be9b53cdf85c226b8e4dbbc9ceb9b463433cb1d0b8a1c73258d 9598044 libnode108_18.20.4+dfsg-1~deb12u2_arm64.deb 0887be27143d9fa0784c078edb9f33d64d5626c8bb256b8bba77df9d7ca6fe6a 68852 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_arm64.deb 0e2ac51630b79ad5b42fe9e54551cfdacaea181fba587fe45dc329b9c06858e8 11112 nodejs_18.20.4+dfsg-1~deb12u2_arm64-buildd.buildinfo 5ed6d1460b0781f94320f5cddee7ca3acd8f07b94e2e7bff7878e036d0b33c3f 321276 nodejs_18.20.4+dfsg-1~deb12u2_arm64.deb Files: 8d06fd7aabc442029f51f2fe250d1143 513508 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_arm64.deb 918d72a84da83f501ae2d91dbf1aebce 883056432 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_arm64.deb 42dfab0935aa8cb4100ecd9809305a1a 9598044 libs optional libnode108_18.20.4+dfsg-1~deb12u2_arm64.deb 36fd9eb78ff4bb2b524984f844d05684 68852 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_arm64.deb cdf252bbc921168ae5210502c0672afd 11112 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_arm64-buildd.buildinfo bf4e293affb8b2fed238cfa86cca35a4 321276 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEJkN0BnKzGWWW6tS+G5VHrWJmwgcFAmoAsaMACgkQG5VHrWJm wgc8Hg/9G+bTnA8/+s/d6DvE7ekqBjvwBFPzo9lz7H3YAQUVzThoGCT/B7LysjzJ n41B6/YoLUKswDpJFA86DgzMdgtoi4h5nRyu0oegoO3b0yEiSPofCKZlt/Mz9qUn nL4idvsmFQsYkT5WeXVdwH5kqBhqvpNaIAxGOXGHYcPvGrEHgnLduTc+l3RrK9RE Jd4RfBi8yDkSq2JZtnJPGen9qISKKmtQSJJr81MO26QN+HpZjeh6M92Cv4LRWkUU ZNF6mfia9ssmb4ecTFq5EYK1YxOMl0eC22p4n2/V6YUcMkGF5dZoUB1xxW60khyr kAwvV2dI6C9HOevDUizTXidGMYd137o+cmwqiu+mvQVrrXe2Fm72ZM1IMPjNMsqJ gQYhvXwDfFLkQssLUw/d9zsAbGF8b9FIYJj6kK0hLcEbkeqasScUBtEtcY5xvkzS axH88CF1+4c8ss9mBEYAt4dtMimZ+p57s92olyuNom3iOSozdJLxm23+uORQbA39 mZHgCdx5JxMGQGHhRZZDG+oA6FSAQZPR4r3HuplNApv1AZD7k9KkXZ34/ehQoEMQ OK32fUTL6c7YuourMNUc2So68i2wssqca7wKEHUZ9pHlZZ4/w86/ZE/NAiqNbhXj So48xdWTDICzcUZaG3UNJxWxr3ZfNmVsDmAYnndNo8EOzdDgPfc= =CQax -----END PGP SIGNATURE-----