Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso <car...@debian.org> a écrit :
> Source: nodejs > Version: 20.19.0+dfsg1-1 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > t...@security.debian.org> > > Hi, > > The following vulnerabilities were published for nodejs. > > CVE-2025-23165[0]: > | Corrupted pointer in node::fs::ReadFileUtf8(const > | FunctionCallbackInfo<Value>& args) when args[0] is a string > > > CVE-2025-23166[1]: > | Improper error handling in async cryptographic operations > | crashes process > > > CVE-2025-23167[2]: > | Improper HTTP header block termination in llhttp > As I read it, it seemed that this affects only llhttp - which is distributed by node-undici right now ? Also https://nodejs.org/en/blog/release/v20.19.2/ mentions CVE-2024-27982 http: do not allow OBS fold in headers by default Jérémy
