-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: mipsel Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-05) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 5a7c7c6f2448b175356fb4041aac49464e1019ed 513564 libnode-dev_18.20.4+dfsg-1~deb12u2_mipsel.deb 46d770589519a6268ebda921e7c754f940edb726 13123784 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_mipsel.deb 8296af19663a7c4a9094a8652f2f120d21936af3 8380220 libnode108_18.20.4+dfsg-1~deb12u2_mipsel.deb 09788d07081bf6439a3e57b37ba197d74dbe0b80 3028 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_mipsel.deb a1d11507942b75ffae73a81423ef95c60d476b1b 10881 nodejs_18.20.4+dfsg-1~deb12u2_mipsel-buildd.buildinfo 724d5fdeac9be712a1dfaa2ed0929275bec691a2 321292 nodejs_18.20.4+dfsg-1~deb12u2_mipsel.deb Checksums-Sha256: bb425b5f10d3ef822a00c634c73203836db06b0d844be3364226c4161fe51f89 513564 libnode-dev_18.20.4+dfsg-1~deb12u2_mipsel.deb bf4dd9672e29dde556ae074db598203d327805c5f78268799811fdfa445ccb78 13123784 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_mipsel.deb 97576370b268c978f9d5205f16fcbd2ee47093c356c01e4ad78b4589dd8292ae 8380220 libnode108_18.20.4+dfsg-1~deb12u2_mipsel.deb af3fadfc48900303e0a1ee357f336b8447bdb92393653f0ba3c7998eb94aa498 3028 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_mipsel.deb 1bf1f9e1177613c6dce0f0f48ef12420ca17ca99460bffd4819f964f0ed6ec68 10881 nodejs_18.20.4+dfsg-1~deb12u2_mipsel-buildd.buildinfo a9a8768b6fae53aea96d3ffabadd6e157952bcddf765ca303a1cd9f327e5b7b3 321292 nodejs_18.20.4+dfsg-1~deb12u2_mipsel.deb Files: 4f44f14c41b65ca0fe92cf2fd4a97d14 513564 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_mipsel.deb 40c3e1b0be70bed576a43b68c7f01db0 13123784 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_mipsel.deb 50715856ff93fa8ffe5b0ff2581e8f24 8380220 libs optional libnode108_18.20.4+dfsg-1~deb12u2_mipsel.deb de622c24640686ba0e3787d3f98e33d3 3028 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_mipsel.deb 113c8c34434336489bdeb27e264a0b77 10881 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_mipsel-buildd.buildinfo 520b7ebf8637256277e14f83da18c5e3 321292 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_mipsel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4ZxaH3zEHAF/GhnCHrk2gTKeWggFAmoBASgACgkQHrk2gTKe WgjhDA//agbFOr1VgQbAou1893SjFvYaEmVHB1UzzHLEIYtTPriKwo+UWM9tIJdt 5kyE2jhWN6U5J8DGyd9Oak26GRxB21A5PI2GcYAKaJFL9rwqpibWHfT8+rELbfEF UiwEFSPdORvJHXC3OOXyjGBfkwY3MoSi14rsDD22ukxP7RvGP+VpHKPvrcToiBqW PNJguQ48GLPtyNLMW0iWIvDmOiLnrGVEWtbbJl+nlUvEIOzFRStOBwM7/bJhu+8x MyUV888YwGPfDFTXVBcCY0wJCogk1PPRgCR312iVy2/I8NOqhC6FEFzJLh65wKR3 s2AMKwVB8nSYEZ8bY5nX0uVJE4ycXolCPQ46FRSNPgabNfPpoxtDN8KZvQMNwVvF j9DzkSxUN/INV5r+V2P6VkCfwOgPVA6oAJUoAvRTmd9t6B4ZRvVp7HUTbovAv6id byw4431SdVHo4GToUfXqGpcinqE3jnKGyYLSqgFGZFKIGpxI7NPlCJJ3MaCNdo06 ogTbb2VeETB8a7RuxOcxQM9rWR0dHceZKU10rL0AOAHM5kefXyJ/1Bh1BvFe5e63 jlnTBVK22hsLn1yCBKnCahPkpkiZ58QSefJwZTZ+UnLCTLbA8TldDWqWE3GyiZsd JLMNykWL/55uJqxHzuibihGZAGLvFJc48ghILD5CQRQ1EIon13c= =dcHs -----END PGP SIGNATURE-----