AVG-2873 log

Package	nodejs-lts-iron
Status	Fixed
Severity	High
Type	multiple issues
Affected	20.19.1-1
Fixed	20.19.2-1
Current	20.19.6-1 [extra]
Ticket	None
Created	Sun May 18 23:46:15 2025

Issue	Severity	Remote	Type	Description
CVE-2025-23167	Medium	Yes	Access restriction bypass	A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables...
CVE-2025-23166	High	Yes	Denial of service	Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException()...
CVE-2025-23165	Low	Yes	Denial of service	Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. In Node.js, the ReadFileUtf8 internal...

Issue

Severity

Remote

Type

Description

CVE-2025-23167

Medium

Yes

Access restriction bypass

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables...

CVE-2025-23166

High

Yes

Denial of service

Improper error handling in async cryptographic operations crashes process.  The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException()...

CVE-2025-23165

Low

Yes

Denial of service

Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string.  In Node.js, the ReadFileUtf8 internal...

Date	Advisory	Package	Type
18 May 2025	ASA-202505-8	nodejs-lts-iron	multiple issues

References
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases