-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: armhf Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: armhf Build Daemon (arm-ubc-06) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 26b26d74b8b0d35ddf0a319da0037d85ba570a4e 513476 libnode-dev_18.20.4+dfsg-1~deb12u2_armhf.deb 25b2a6528cbe4411ff07ad58a23e217f959aeda8 33503696 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_armhf.deb 610568c6474c760155b5d9586772e28e9cccc931 9002716 libnode108_18.20.4+dfsg-1~deb12u2_armhf.deb 8f1d52141acb0355966ffa8eb5971466e406c6b5 3256 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_armhf.deb c726f7277d109bcf3fbe53a4eac694382bf82cfc 10950 nodejs_18.20.4+dfsg-1~deb12u2_armhf-buildd.buildinfo 08585142237b357c5d9b81f5c079b956db11dc84 321148 nodejs_18.20.4+dfsg-1~deb12u2_armhf.deb Checksums-Sha256: fd45a2c3cac6163d630c9518f892d9ecd5bb87d3450327183aba7131925c8722 513476 libnode-dev_18.20.4+dfsg-1~deb12u2_armhf.deb 65c90f60640fb9f7a64c77cfb4635d63c15b4fd3a63b50045fe48c5bfe689a4d 33503696 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_armhf.deb 9581ab7d948090ea408ffcfdc01092e3ba23d96dc7672751ad471f71b27dca41 9002716 libnode108_18.20.4+dfsg-1~deb12u2_armhf.deb 631d4eab49ae8bf21a93a3d987b0b3e725479cd5848362488fcfd6f9553901dc 3256 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_armhf.deb ec9dcb0b8f5a37a2e8f22f0ce076fcb635bedd35289dcf15f5d5b1e5b6056698 10950 nodejs_18.20.4+dfsg-1~deb12u2_armhf-buildd.buildinfo 1bcd622d13ce542fafbbf1b3b1a48fca4dbba1937ef4ef094ba83f6e0900d469 321148 nodejs_18.20.4+dfsg-1~deb12u2_armhf.deb Files: 299a85f9e66e0955cfaad03f69114473 513476 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_armhf.deb 10162339a3dc234660ae71e439ef849d 33503696 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_armhf.deb 779386295113d25aae0b40715571734b 9002716 libs optional libnode108_18.20.4+dfsg-1~deb12u2_armhf.deb cc539bf2e6ff1f5d069f130223944864 3256 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_armhf.deb d51de421317d8a7deabfc37f4940d728 10950 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_armhf-buildd.buildinfo 15dd6e845ffba386b0d1ebb4a39ae281 321148 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBOUsBrtd5lcy6oRfutMAkCxKbL0FAmoA1AQACgkQutMAkCxK bL3Bgw/+JVciQF++oEZS0WU1ymnjZRqnez5UgIbbtyxCsVyT+wUiapB9v+xDmJos Pei/51xFgGoAw3eitG4xG2uW0VgwOPXd9SIScrJk+ICOOJLaBEsuODFZ/J5bWviU TbiWB+SCddSyIyVSI4uMuxZErzvyoVd0L2op7PMaJo0jCkP5jAMgNHCsIU3bKYvC u1fCoFdxWqGJFk+wq7k/AADAiuLaWA/kT/A1jgwQvYNtJZDz0czfQ/3PCrVHGhoq dsC6XKBssujgiQihYG8vT9qbAMEfy6fwsNJBlnUHpgFeqbeb+hzal4Xnwdkj4nI5 uK2ZMC1zGap8GErl/jBIwWYcvAB5etgDbHDHvE7CFOiNTvPrgvBCcIAJMSkHdWHx z2VWg4rvRKmDUjyKLu28eWCSVSyi1g7qGgjHdZRHESAGEWZ7lYez/BQMXpDaJc1H sqRVhhtYr2iO5vt+C4yv1yHiNMZe6MqPjEWXD9c3BF8FUHrzvkOeuy/94TtiazIU WCEIF1UCx6u4jsIoDtya/zYUe7m6SHCIqvBh8+/1953V3f6MYLNqdKxtxnkUnbgf A3Yl6vcq3+d2zwamoWf11+H9ftrQSG925LWl0Y+gXEq5qB0A5Rs03gcRIygKmYsT T4/2bByz/nmGkJohwOo1Oy2JflT2Uv7YDsTXYFg4nbwekf62330= =VCnT -----END PGP SIGNATURE-----