ASA-202505-6 log generated external raw

[ASA-202505-6] nodejs: denial of service
Arch Linux Security Advisory ASA-202505-6 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23166 Package : nodejs Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2871 Summary ======= The package nodejs before version 23.11.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 23.11.1-1. # pacman -Syu "nodejs>=23.11.1-1" The problem has been fixed upstream in version 23.11.1. Workaround ========== None. Description =========== Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Impact ====== A remote attacker can exploit improper error handling in Node.js’s asynchronous cryptographic operations to crash the process, leading to a denial of service. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://security.archlinux.org/CVE-2025-23166

[ASA-202505-6] nodejs: denial of service

Arch Linux Security Advisory ASA-202505-6 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23166 Package : nodejs Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2871 Summary ======= The package nodejs before version 23.11.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 23.11.1-1. # pacman -Syu "nodejs>=23.11.1-1" The problem has been fixed upstream in version 23.11.1. Workaround ========== None. Description =========== Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Impact ====== A remote attacker can exploit improper error handling in Node.js’s asynchronous cryptographic operations to crash the process, leading to a denial of service. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://security.archlinux.org/CVE-2025-23166