Source: nodejs Version: 20.19.0+dfsg1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for nodejs. CVE-2025-23165[0]: | Corrupted pointer in node::fs::ReadFileUtf8(const | FunctionCallbackInfo<Value>& args) when args[0] is a string CVE-2025-23166[1]: | Improper error handling in async cryptographic operations | crashes process CVE-2025-23167[2]: | Improper HTTP header block termination in llhttp If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-23165 https://www.cve.org/CVERecord?id=CVE-2025-23165 https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low [1] https://security-tracker.debian.org/tracker/CVE-2025-23166 https://www.cve.org/CVERecord?id=CVE-2025-23166 https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high [2] https://security-tracker.debian.org/tracker/CVE-2025-23167 https://www.cve.org/CVERecord?id=CVE-2025-23167 https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium Regards, Salvatore
