-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: armel Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: armel Build Daemon (arm-conova-02) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 0bf3b09bdf95a4052fe015639ea909a6b828cc2d 513476 libnode-dev_18.20.4+dfsg-1~deb12u2_armel.deb 98ce837a0e398af06185a2369f89155e6d19ad16 33501988 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_armel.deb 3cf3aaae4dfd021966db45b0f83fc71bc53c9546 8977532 libnode108_18.20.4+dfsg-1~deb12u2_armel.deb e3212fcca1739914fc1bc78072bde5160fcfa063 3268 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_armel.deb b9690b9ac23501b8fbad2e32b34089d3d225d83c 11022 nodejs_18.20.4+dfsg-1~deb12u2_armel-buildd.buildinfo 8d6f9e16f5c98f82e8248d987d515276b96c5119 321180 nodejs_18.20.4+dfsg-1~deb12u2_armel.deb Checksums-Sha256: 5623c2bc158708d9e1776532cd0324980f102cb168cb202ee232a869096ade1e 513476 libnode-dev_18.20.4+dfsg-1~deb12u2_armel.deb 936462dab838c4bf61e4a8445688b1c48612d14e8bffc0dbcec6bb7fe279eb3b 33501988 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_armel.deb 714fb07f0391477846295434f80eb370abd51f27f2aeea42ffea33c030ee30ce 8977532 libnode108_18.20.4+dfsg-1~deb12u2_armel.deb 613ca3a94951b79d99f05eea449aede2aedcf4494e9fb0ddcdd9f608e3be3418 3268 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_armel.deb 96b4ef641d319dc175554e675edda75214e2c282ca6ec3cc26380a089cd6ee5a 11022 nodejs_18.20.4+dfsg-1~deb12u2_armel-buildd.buildinfo a32317c91fb70378073f38c737755f784a5dcc931c17772e20cc1ac0ce5b5ba9 321180 nodejs_18.20.4+dfsg-1~deb12u2_armel.deb Files: f5f138c58cb91038d860e1b6e284360a 513476 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_armel.deb 53800f7043ad87d01a10c56fe80e1202 33501988 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_armel.deb 3b122ec3fe1e5f2927d1666c48429010 8977532 libs optional libnode108_18.20.4+dfsg-1~deb12u2_armel.deb 2f387d95f78059cb3a3381b73ae0a3ac 3268 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_armel.deb 9d02fcc3d064a3bd6f01f09cd5f836a8 11022 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_armel-buildd.buildinfo 739d08ce30770f5cf01ac69f5a33d2d5 321180 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWHj9K9pO9l4btbD1OQKMdMnEH5MFAmoA1cAACgkQOQKMdMnE H5MgiA/+Njak7qbr1m87uTxSJPqc4xMz3SpXDerK5A+XdsdLZAgNRAbAhmkZv7Sq tt/wMlmK2ZjFdr5FDi2uDaWzGD/kGqtZBt9H8bJ4DuGpRK91LVqR/S6QEAG1zZb0 G+RxQKwRRCZhoSRtgDuo7oXc3uyZeV1BoWlawHUowef90jeIZfgjERdIErCdwrR1 XZNY+OLICfvIxtGiiCDlixuXl4dFrB57G8dOUiuzYmR1BBJGsb88T4U4WnwdOjy6 Ls+NX9t0EriYTrUiwkr9BR0s6/m/H+3nqSIZnv8sVAiE2npuuYuITLv4p9qYGqMD Z6wdnL2tDg8wSDZyPJypZIFrjq0KOVCQTAB41cIbUGQtTRqFb7Pd+wRWFBa0Rk8l hAL6l9ueLPSQmvh4PWaQ23LU73ILyW/HDJ+BxMHI0TfyiaCr/Ay8x/jLZsVgNkPD e4DW+DtSMBY71q+fKW9JKB17RSLURmhUMq+h2rYnk5AI/bqt0T3u6R1mYbpzBKgs JIs9GSvDqb+Ncj/1IXPxvULIf42EI4wICWGr5+h7qDLllTbDXXgvTlhuz6KPAvoy AGw36r8agYuYFpzS1NPh4KNu7W5qvvrhI2fwbHZoa++bQpvXtWVzPGCA1Hzg5rOP jGRWG/X4yEwJt3nQAmGFw9KlgF/VgF2loRjHJHO2qggrwPIP2CM= =sBpM -----END PGP SIGNATURE-----