An update for nodejs is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1534 Final 1.0 1.0 2025-05-23 Initial 2025-05-23 2025-05-23 openEuler SA Tool V1.0 2025-05-23 nodejs security update An update for nodejs is now available for openEuler-24.03-LTS-SP1 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.(CVE-2025-23165) The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.(CVE-2025-23166) An update for nodejs is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High nodejs https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1534 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23165 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23166 https://nvd.nist.gov/vuln/detail/CVE-2025-23165 https://nvd.nist.gov/vuln/detail/CVE-2025-23166 openEuler-24.03-LTS-SP1 nodejs-20.18.2-3.oe2403sp1.aarch64.rpm nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64.rpm nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64.rpm nodejs-devel-20.18.2-3.oe2403sp1.aarch64.rpm nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64.rpm nodejs-libs-20.18.2-3.oe2403sp1.aarch64.rpm npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64.rpm v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64.rpm nodejs-20.18.2-3.oe2403sp1.src.rpm nodejs-20.18.2-3.oe2403sp1.x86_64.rpm nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64.rpm nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64.rpm nodejs-devel-20.18.2-3.oe2403sp1.x86_64.rpm nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64.rpm nodejs-libs-20.18.2-3.oe2403sp1.x86_64.rpm npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64.rpm v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64.rpm nodejs-docs-20.18.2-3.oe2403sp1.noarch.rpm In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22. 2025-05-23 CVE-2025-23165 openEuler-24.03-LTS-SP1 Low 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L nodejs security update 2025-05-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1534 The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. 2025-05-23 CVE-2025-23166 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H nodejs security update 2025-05-23 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1534