Hi Jérémy, On Thu, May 15, 2025 at 10:50:34PM +0200, Jérémy Lal wrote: > Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso <car...@debian.org> a > écrit : > > > Source: nodejs > > Version: 20.19.0+dfsg1-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for nodejs. > > > > CVE-2025-23165[0]: > > | Corrupted pointer in node::fs::ReadFileUtf8(const > > | FunctionCallbackInfo<Value>& args) when args[0] is a string > > > > > > CVE-2025-23166[1]: > > | Improper error handling in async cryptographic operations > > | crashes process > > > > > > CVE-2025-23167[2]: > > | Improper HTTP header block termination in llhttp > > > > As I read it, it seemed that this affects only llhttp - which is > distributed by node-undici right now ? > > Also https://nodejs.org/en/blog/release/v20.19.2/ > mentions > CVE-2024-27982 http: do not allow OBS fold in headers by default
Thanks, will have look on what we need to change for the tracking information on security-tracker! Regards, Salvatore
