-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: ppc64el Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-conova-01) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 4968a0a84c5a1e18d12e2a218b69542254e30c2f 513516 libnode-dev_18.20.4+dfsg-1~deb12u2_ppc64el.deb 70b33557c28d0d693386bba9a4c3d2861a76a89b 885514896 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_ppc64el.deb 8da5f922b154b8392bacd88cf8a3ca51c2716f0d 10872408 libnode108_18.20.4+dfsg-1~deb12u2_ppc64el.deb 57129629a486918f817dd08f0618948bb496985d 68932 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_ppc64el.deb 952a46d1697890ab686bb90d159e1c8b9cb8d4a2 11130 nodejs_18.20.4+dfsg-1~deb12u2_ppc64el-buildd.buildinfo d267459e3f695d24e32b0329544ba79271e1413a 321388 nodejs_18.20.4+dfsg-1~deb12u2_ppc64el.deb Checksums-Sha256: 6b1d5fb402b0e1324de882f104b433fad82206ba891b6afe5180a233186e5d14 513516 libnode-dev_18.20.4+dfsg-1~deb12u2_ppc64el.deb a18b4dd18b8784ca1260c4d63bb145c82adf55b8f194cda7d21c6ff222328034 885514896 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_ppc64el.deb 0aa7733b5b4c147a937a11861ad476e7d88be6f68e055f1cd4022c4f962ac8d5 10872408 libnode108_18.20.4+dfsg-1~deb12u2_ppc64el.deb 9ded4d430c1e1719fa57cc0650cc9bdfea41656e85dde7ebefa5820ce92258da 68932 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_ppc64el.deb a971b354d31cf2ed5263a868027dc4df1dc2dcd42491249b4ce3f3e992d98799 11130 nodejs_18.20.4+dfsg-1~deb12u2_ppc64el-buildd.buildinfo 4d91b6c70b70efd49c76defbc8b533d7e0999cbc5abc9874d9d1f85e2198d1b5 321388 nodejs_18.20.4+dfsg-1~deb12u2_ppc64el.deb Files: d11e81b6ee8cd093208bb6100b63756a 513516 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_ppc64el.deb b4e662ec01b6272f3c4cae2261a7c0af 885514896 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_ppc64el.deb 76050cf6557158b564522ad240468673 10872408 libs optional libnode108_18.20.4+dfsg-1~deb12u2_ppc64el.deb e79e271d3ad0be207a0a9c4563b75eb0 68932 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_ppc64el.deb dc38460cd66977497c73f2f96aae089d 11130 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_ppc64el-buildd.buildinfo 63c006ab3fefddbd8b9b7ab0254e0847 321388 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEDoRc43uRWMOoIqIgDNLUPhbmg7MFAmoAsyUACgkQDNLUPhbm g7MWahAAqWnXVp8KZuiWDwE5TlLg6E6uLOnZ9t4TlZDOq2Vu8Wbh0pvaEYFp1Yvn QwePyTl37NNFkBvfHXQ1nY2WBgBdXK86DHcT44s8Uuq5k0rw0IciYwAq3qlY5TH7 qMW7igQZVYkMOXRJnLWYSdiKeiX+/UKN69+9qo2u0nbb/Xv7Gol1Us+fw6CI4v3E R5gL5yebG6vyrUE2XKUXeZ/qLRsBi0D1ArcUQKX7TzmgMZHxv8XaOEs8n/EcKG0a /IYqDk/dfxHB3vOI5Dr53rTd+upNmR0A3KQU8cg9upvXwEmIpD1tvj0KJBCf3Iba fjg8JtvDaS/JNLzGOcl/xdDv+uMVrBvzWrglgfy+Ync8hboyfQbi60DomRUnlQoC 9TW/Fgb7a99E08AM+BE26PDf7eB2CSZWsJqNaUatI33DDHD+ir1neYlbVHhDfd0I pZi1Sc2g4jySBuBaeCEfsnrNI6bGJobstTqPHLqN8sg280/w5xRUc/nOp5HtLXT4 SByNKv40FHYxEqhOqQXdr3eCD964T5y0/DmUUccX6j3QFt6f9ZkttLgqnO1/VHRF K9HnKVcJwazR8j8RKO51sms5zPgCH2ptk5PmMBuLtQBhgEgeZ6nSOtpNuiYHWyDX yAC/ZodgVK/Pn4QNaiO+ythM8Adsb5aLk0lnYzUvKd49TvQ7xwo= =jcwG -----END PGP SIGNATURE-----