-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 06 Apr 2026 16:18:52 +0200 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: s390x Version: 18.20.4+dfsg-1~deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: s390x Build Daemon (zani) Changed-By: Bastien Roucariès Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1094134 1105832 Changes: nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium . * Team upload * Fix CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions (Closes: #1094134) * Fix CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. (Closes: #1105832) * Fix CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` * Fix CVE-2025-59466: async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. * Fix CVE-2025-23166: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across. * Fix CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch` * Fix CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 1602ecfa4c9a5e6e1c5b397d40d407182ffaa389 513452 libnode-dev_18.20.4+dfsg-1~deb12u2_s390x.deb 29274de4113443000226c3f9f378a7879f5039ef 918344844 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_s390x.deb e18b54d64cfe7e74bf69727d69a59c04ffc5eec0 9685788 libnode108_18.20.4+dfsg-1~deb12u2_s390x.deb 36974958aa8532792f611170546591cd5d9d024d 68756 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_s390x.deb dc49fbdae21920b5cf57821d3cf950cc9b571790 10984 nodejs_18.20.4+dfsg-1~deb12u2_s390x-buildd.buildinfo dbb848e9fb6532664b85d0416e42b45886ab1845 321144 nodejs_18.20.4+dfsg-1~deb12u2_s390x.deb Checksums-Sha256: 96f3b7741b43bc23ef8e5761711767402e3c17e66d45399807a379151465d946 513452 libnode-dev_18.20.4+dfsg-1~deb12u2_s390x.deb b3402e3232a0f4622b0dcaff26f0e6ccd09246d592610e9d47fb1e38e9c0d74e 918344844 libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_s390x.deb 6d95183aa371b3354ea53f77f5ec511dce96409057ec54aa93c7d4a4a15043cf 9685788 libnode108_18.20.4+dfsg-1~deb12u2_s390x.deb b345340f6b6b7a30b8f2f0138283a5494900646b00d77c007848e8c80e3a8df3 68756 nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_s390x.deb 06287fb18fed8b7543a331a27ebd7d6d5897a9500155fa7d25f7dfca57ad9054 10984 nodejs_18.20.4+dfsg-1~deb12u2_s390x-buildd.buildinfo 1e76d0834d080da49bcfc14ad136af2cdffb577c1293d7dff8462fd86838e87d 321144 nodejs_18.20.4+dfsg-1~deb12u2_s390x.deb Files: 777769b19406b80c7d84df8f604f1478 513452 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u2_s390x.deb 80a0fbe5c94a5a8761af29ce4df7c843 918344844 debug optional libnode108-dbgsym_18.20.4+dfsg-1~deb12u2_s390x.deb 03a461a946bdaf1f92369214852318ed 9685788 libs optional libnode108_18.20.4+dfsg-1~deb12u2_s390x.deb 98615cb6ae3500ad568d1c1d9125b561 68756 debug optional nodejs-dbgsym_18.20.4+dfsg-1~deb12u2_s390x.deb 119bb08ba86e129bf4bb8e9ddcee5a8a 10984 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_s390x-buildd.buildinfo ab4935be062f582387ec190eca987ee1 321144 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgh4msZ+e2PZfd5KckaCrxAR3BY0FAmoA4u4ACgkQkaCrxAR3 BY1R0hAAvrZlAvz88zIRe3a+QdT9xsJTWxByDSZcdaYvnUWnSTKh6da2RJWgWWvt SBLkDRLAzGUlW4gVl9xQOTsaWXwdPw0D5PgcFQSArzfUEqr10HWPmFhEaUMXX01G TFOYm63hR8A95uk9Xs92XWd/9G0wc6sx7cvFNl9Oa5s+7BW7Cegj46KOSpDE1SUT 6G1WhNu/dWyC7I4oY8ed87GigUVYadC8KJlS24n1iLKI4CrlmyG55W9nX3+/lfps pArCq/ea4IMlxfjl2gfom4TL6x9v04H/tiWKKXGbQIBwTXZ/PMcskDDW8p8kyHN4 swPeDk5402PpKJ5fLX13tmVaTl56l4Vh2tHIQXj8e2QKd4xECxhyApmViCo2no9o UbVcHriXT+xnGXkT/QjRJ9E49Y8gU3JITwIEdyeCdTLUGjnusfIynhq8f2BrYsvj AMnf9NkKf+6HvmyZ2SE8mFEbde8sA1YigmPX2lEpSds/U5Tg4/R85NsJkqz8Y23w ddNXJ6ca4TgIonTlFqs3Kz+n1FIcl1FbG0T5QA18q32wtiNRSwD5o+G0ERO2ENRF 166baevmm3b5R/fJ8UzhjIkRVU8s8M3tbJFG/TPogP5OUbOnxD59n2QZkaAnuWe5 Y474N/ipC2fQFFLyyJ05MK5Z3P0mSwd/SDYRS/90L1FeQUShtBw= =Js6c -----END PGP SIGNATURE-----