{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23085", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2025-01-10T19:05:52.771Z", "datePublished": "2025-02-07T07:09:25.804Z", "dateUpdated": "2025-02-25T13:07:47.090Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\r\n\r\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "18.20.5", "status": "affected", "lessThanOrEqual": "18.20.5", "versionType": "semver"}, {"version": "20.18.1", "status": "affected", "lessThanOrEqual": "20.18.1", "versionType": "semver"}, {"version": "22.13.0", "status": "affected", "lessThanOrEqual": "22.13.0", "versionType": "semver"}, {"version": "23.6.0", "status": "affected", "lessThanOrEqual": "23.6.0", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-02-07T07:09:25.804Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-401", "lang": "en", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-07T15:50:24.935972Z", "id": "CVE-2025-23085", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T15:57:11.221Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-25T13:07:47.090Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-25T13:07:47.090Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23085", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-07T15:50:24.935972Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T15:50:27.384Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "18.20.5", "versionType": "semver", "lessThanOrEqual": "18.20.5"}, {"status": "affected", "version": "20.18.1", "versionType": "semver", "lessThanOrEqual": "20.18.1"}, {"status": "affected", "version": "22.13.0", "versionType": "semver", "lessThanOrEqual": "22.13.0"}, {"status": "affected", "version": "23.6.0", "versionType": "semver", "lessThanOrEqual": "23.6.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases"}], "descriptions": [{"lang": "en", "value": "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\r\n\r\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-02-07T07:09:25.804Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23085", "state": "PUBLISHED", "dateUpdated": "2025-02-25T13:07:47.090Z", "dateReserved": "2025-01-10T19:05:52.771Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2025-02-07T07:09:25.804Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\r\n\r\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x."}, {"lang": "es", "value": "Se podr\u00eda producir una p\u00e9rdida de memoria cuando un par remoto cierra abruptamente el socket sin enviar una notificaci\u00f3n GOAWAY. Adem\u00e1s, si nghttp2 detectaba un encabezado no v\u00e1lido, lo que hac\u00eda que el par terminara la conexi\u00f3n, se activaba la misma p\u00e9rdida. Esta falla podr\u00eda provocar un mayor consumo de memoria y una posible denegaci\u00f3n de servicio en determinadas condiciones. Esta vulnerabilidad afecta a los usuarios del servidor HTTP/2 en Node.js v18.x, v20.x, v22.x y v23.x."}], "id": "CVE-2025-23085", "lastModified": "2025-02-25T13:15:11.103", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2025-02-07T07:15:15.810", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1351", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8100020250203134842.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-12T00:00:00Z"}, {"advisory": "RHSA-2025:1582", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:18-8100020250207121904.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:1611", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:22-8100020250130144944.6d880403", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-02-17T00:00:00Z"}, {"advisory": "RHSA-2025:1443", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9050020250130114516.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1446", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:18-9050020250206154514.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1613", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:22-9050020250131131518.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-02-17T00:00:00Z"}], "bugzilla": {"description": "nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap", "id": "2342618", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342618"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.", "A vulnerability was found in NodeJS when handling HTTP/2 connections, where the remote peer abruptly closes the socket without sending the proper HTTP/2 notification to the server, leading to a memory leak. This flaw allows an attacker to force the targeted process in the targeted host to an uncontrollable resource consumption state, starving the process and possibly other processes running at the same host to memory starvation, leading to a denial of service."], "mitigation": {"lang": "en:us", "value": "There's no available mitigation for this issue other than updating to the package version which contains the fix."}, "name": "CVE-2025-23085", "public_date": "2025-01-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23085\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23085"], "threat_severity": "Moderate"}