ASA-202505-7 log generated external raw

[ASA-202505-7] nodejs-lts-jod: denial of service
Arch Linux Security Advisory ASA-202505-7 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 Package : nodejs-lts-jod Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2872 Summary ======= The package nodejs-lts-jod before version 22.15.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 22.15.1-1. # pacman -Syu "nodejs-lts-jod>=22.15.1-1" The problems have been fixed upstream in version 22.15.1. Workaround ========== None. Description =========== - CVE-2025-23165 (denial of service) Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. - CVE-2025-23166 (denial of service) Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Impact ====== A remote attacker can exploit improper error handling and memory management flaws in Node.js to crash the process or exhaust system resources, leading to a denial of service. Specifically, malformed input may trigger a crash in asynchronous cryptographic operations, while repeated use of file system APIs with crafted input may cause unbounded memory growth. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://security.archlinux.org/CVE-2025-23165 https://security.archlinux.org/CVE-2025-23166

[ASA-202505-7] nodejs-lts-jod: denial of service

Arch Linux Security Advisory ASA-202505-7 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 Package : nodejs-lts-jod Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2872 Summary ======= The package nodejs-lts-jod before version 22.15.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 22.15.1-1. # pacman -Syu "nodejs-lts-jod>=22.15.1-1" The problems have been fixed upstream in version 22.15.1. Workaround ========== None. Description =========== - CVE-2025-23165 (denial of service) Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. - CVE-2025-23166 (denial of service) Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Impact ====== A remote attacker can exploit improper error handling and memory management flaws in Node.js to crash the process or exhaust system resources, leading to a denial of service. Specifically, malformed input may trigger a crash in asynchronous cryptographic operations, while repeated use of file system APIs with crafted input may cause unbounded memory growth. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://security.archlinux.org/CVE-2025-23165 https://security.archlinux.org/CVE-2025-23166