Arch Linux Security Advisory ASA-202505-8 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 Package : nodejs-lts-iron Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2873 Summary ======= The package nodejs-lts-iron before version 20.19.2-1 is vulnerable to multiple issues including denial of service and access restriction bypass. Resolution ========== Upgrade to 20.19.2-1. # pacman -Syu "nodejs-lts-iron>=20.19.2-1" The problems have been fixed upstream in version 20.19.2. Workaround ========== None. Description =========== - CVE-2025-23165 (denial of service) Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. - CVE-2025-23166 (denial of service) Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. - CVE-2025-23167 (access restriction bypass) A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading llhttp to version 9, which enforces correct header termination. Impact ====== A remote attacker can exploit multiple vulnerabilities in Node.js to cause a denial of service or bypass access restrictions. Improper error handling and memory management flaws may crash the process or lead to unbounded memory usage, while an HTTP parsing inconsistency in Node.js 20.x can enable request smuggling, allowing attackers to evade proxy- based access controls and submit unauthorized requests. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium https://security.archlinux.org/CVE-2025-23165 https://security.archlinux.org/CVE-2025-23166 https://security.archlinux.org/CVE-2025-23167