-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: mips64el Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: abc992f05b3435f06635bfa79b75b58b4755936a 513504 libnode-dev_18.20.4+dfsg-1~deb12u2_mips64el.deb aaed30d30378d4b03eec51e9d785548f7700ce4a 147070376 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_mips64el.deb 18ebc8572d6dd726e0b65793f85053dad720b516 8204488 libnode108_18.20.4+dfsg-1~deb12u2_mips64el.deb f2b642dbbdbd73085054ac7941dfe360038a39e3 16480 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_mips64el.deb 931669bcb7cb29fb1d512b8b7824b30fec17a652 10928 nodejs_18.20.4+dfsg-1~deb12u2_mips64el-buildd.buildinfo 3c5b938e6ffbfa31763bafd0b70ea2c9d3f1b575 321392 nodejs_18.20.4+dfsg-1~deb12u2_mips64el.deb Checksums-Sha256: 27504873ed1ff126b1631fc54e40fffde834b2e799af3c583840955eb964a5c3 513504 libnode-dev_18.20.4+dfsg-1~deb12u2_mips64el.deb 0f3191996fc158f33990577d22d06a319290798a55a062ee5791ea8e3e423203 147070376 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_mips64el.deb bdcbff0cfbb688316bf24eb818ab6a8db1212442130b99ef12deb65a24e23ea1 8204488 libnode108_18.20.4+dfsg-1~deb12u2_mips64el.deb 7b13eb882312330ebdab48bd3dfd1950aaca909518d76be489c2e2e10632fccb 16480 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_mips64el.deb 31b380e28fcba57c7349adab4eee3a6af037c604928a4f199e8107148b50e91a 10928 nodejs_18.20.4+dfsg-1~deb12u2_mips64el-buildd.buildinfo 0df23cf88b1a440f6ca46db452ba8ded0f8f9fdcb932823b4cdb9de3a73d3593 321392 nodejs_18.20.4+dfsg-1~deb12u2_mips64el.deb Files: f526ecc508cc310701d2b1a3c20df826 513504 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_mips64el.deb 9ecbdce38fd4b4d5d8096410ed83bd19 147070376 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_mips64el.deb 7887cf908957342fd1813519ba471dce 8204488 libs optional libnode108_18.20.4+dfsg-1~deb12u2_mips64el.deb 846c7bac75dbd6d227dad0ea590e4801 16480 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_mips64el.deb 3aec6a142ef683979bfae6528c1c60ea 10928 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_mips64el-buildd.buildinfo afe6ca417e13e96b8b996d006863a6c4 321392 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_mips64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmoA0z8ACgkQ/qmHKZss fSAm2hAA0dfEl9ySiagqwO1YxJxcmcjBcQvFSc0OI9x9BglDM/s64sGx1FP4m7EM R6oa1XzEveBVf1TLARN9lC38n7C5U1iOUM4orDx3EfoleN3Jkj4UcKeSSzA2ienp RdpqaUJljRJGr8IgAsnt9gguBYLLz/ODE9vN2kdbUvJSNU8dElF7ee/Co6kRIcrb w7pQcEVlviXBxbllcRlCAsyDgyOZMH+pCuTwEUsCmOpZD/LMcW/8Q+lyEeZP7m0T O5B5GNpqgD5mV+X/L5hFx/GV5bphZL9ioFGtukXiRqyDG5vipXIO3SIhl3gjoqFs Az5fdKk53v42O04emDXu1ZRLvSyO7iSo9BIKs257fH/DHfScJS6OKRzup7z55uIW ZACk2NEHMJpAenTw3FTa02iQ9k++UFat5vle9/+9rsZztc1JRnt3IDSRqF2DfUUw gx878jH9LKiotW41san3uJ6mB0T3BEK+Eg5toXrvxhDPWmMXGSHfuJtM0y/9Dp6w VFY7Yy6J5jd+0BeSlOoonVrIhxs734bQsL+Q/D0JvmFclKqgVA1CYANqjyZdQq+X pjks1TI2jjzLBcULrEFu5OEnH7/3Ug45bz8HLja2ngWMV7DIJh/SedjNfeEZ1sWC KJBZQPxJ54eUXvchMqKDYxHQfa/d1HdK5F2F87o5SaLguF57ab8= =Pvra -----END PGP SIGNATURE-----