Control: retitle -1 CVE-2025-23165 CVE-2025-23166 On Thu, May 15, 2025 at 10:50:34PM +0200, Jérémy Lal wrote: > Le jeu. 15 mai 2025 à 21:51, Salvatore Bonaccorso <car...@debian.org> a > écrit : > > > Source: nodejs > > Version: 20.19.0+dfsg1-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for nodejs. > > > > CVE-2025-23165[0]: > > | Corrupted pointer in node::fs::ReadFileUtf8(const > > | FunctionCallbackInfo<Value>& args) when args[0] is a string > > > > > > CVE-2025-23166[1]: > > | Improper error handling in async cryptographic operations > > | crashes process > > > > > > CVE-2025-23167[2]: > > | Improper HTTP header block termination in llhttp > > > > As I read it, it seemed that this affects only llhttp - which is > distributed by node-undici right now ?
Let's track this bug only for CVE-2025-23165 CVE-2025-23166, adjusting the metadata. I have not checked node-undiici. Regards, Salvatore
