nodejs-lts-iron

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Evented I/O for V8 javascript (LTS release: Iron)
Version 20.19.2-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2873 20.19.1-1 20.19.2-1 High Fixed
AVG-2853 20.11.1-1 20.12.1-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2025-23167 AVG-2873 Medium Yes Access restriction bypass
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables...
CVE-2025-23166 AVG-2873 High Yes Denial of service
Improper error handling in async cryptographic operations crashes process.  The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException()...
CVE-2025-23165 AVG-2873 Low Yes Denial of service
Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string.  In Node.js, the ReadFileUtf8 internal...
CVE-2024-27983 AVG-2853 High Yes Denial of service
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It...
CVE-2024-27982 AVG-2853 Medium Yes Insufficient validation
The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling....

Advisories

Date Advisory Group Severity Type
18 May 2025 ASA-202505-8 AVG-2873 High multiple issues