{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"nodejs security update", "category":"general", "title":"Synopsis" }, { "text":"An update for nodejs is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\nA vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.\n\nOn Windows, a path that does not start with the file separator is treated as relative to the current directory. \n\nThis vulnerability affects Windows users of `path.join` API.(CVE-2025-23084)\n\nA memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\n\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.(CVE-2025-23085)", "category":"general", "title":"Description" }, { "text":"An update for nodejs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"nodejs", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1091", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1091" }, { "summary":"CVE-2025-23084", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23084&packageName=nodejs" }, { "summary":"CVE-2025-23085", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23085&packageName=nodejs" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23084" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23085" }, { "summary":"openEuler-SA-2025-1091 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1091.json" } ], "title":"An update for nodejs is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2025-02-08T20:33:45+08:00", "revision_history":[ { "date":"2025-02-08T20:33:45+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-02-08T20:33:45+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-02-08T20:33:45+08:00", "id":"openEuler-SA-2025-1091", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm" }, "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm" }, "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-1.oe2403sp1.src.rpm", "name":"nodejs-20.18.2-1.oe2403sp1.src.rpm" }, "name":"nodejs-20.18.2-1.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm" }, "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm" }, "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm", "name":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm" }, "name":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-1.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "name":"nodejs-20.18.2-1.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "name":"nodejs-docs-20.18.2-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-23084", "notes":[ { "text":"A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.\n\nOn Windows, a path that does not start with the file separator is treated as relative to the current directory. \n\nThis vulnerability affects Windows users of `path.join` API.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch" ], "details":"nodejs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1091" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.6, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-23084" }, { "cve":"CVE-2025-23085", "notes":[ { "text":"A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\n\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch" ], "details":"nodejs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1091" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-23085" } ] }