An update for nodejs is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1274 Final 1.0 1.0 2025-03-14 Initial 2025-03-14 2025-03-14 openEuler SA Tool V1.0 2025-03-14 nodejs security update An update for nodejs is now available for openEuler-22.03-LTS-SP4 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.(CVE-2025-23085) An update for nodejs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium nodejs https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1274 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23085 https://nvd.nist.gov/vuln/detail/CVE-2025-23085 openEuler-22.03-LTS-SP4 nodejs-12.22.11-11.oe2203sp4.aarch64.rpm nodejs-debuginfo-12.22.11-11.oe2203sp4.aarch64.rpm nodejs-debugsource-12.22.11-11.oe2203sp4.aarch64.rpm nodejs-devel-12.22.11-11.oe2203sp4.aarch64.rpm nodejs-full-i18n-12.22.11-11.oe2203sp4.aarch64.rpm nodejs-libs-12.22.11-11.oe2203sp4.aarch64.rpm npm-6.14.16-1.12.22.11.11.oe2203sp4.aarch64.rpm v8-devel-7.8.279.23-1.12.22.11.11.oe2203sp4.aarch64.rpm nodejs-12.22.11-11.oe2203sp4.src.rpm nodejs-12.22.11-11.oe2203sp4.x86_64.rpm nodejs-debuginfo-12.22.11-11.oe2203sp4.x86_64.rpm nodejs-debugsource-12.22.11-11.oe2203sp4.x86_64.rpm nodejs-devel-12.22.11-11.oe2203sp4.x86_64.rpm nodejs-full-i18n-12.22.11-11.oe2203sp4.x86_64.rpm nodejs-libs-12.22.11-11.oe2203sp4.x86_64.rpm npm-6.14.16-1.12.22.11.11.oe2203sp4.x86_64.rpm v8-devel-7.8.279.23-1.12.22.11.11.oe2203sp4.x86_64.rpm nodejs-docs-12.22.11-11.oe2203sp4.noarch.rpm A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. 2025-03-14 CVE-2025-23085 openEuler-22.03-LTS-SP4 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L nodejs security update 2025-03-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1274