CVE-2025-23085

Denial of Service
Affects
Node.js
4.0 < 18.20.6, 20 < 20.18.2
in
Node.js
Node.js NES
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.

An Denial of Service vulnerability has been identified in Node.js. The issue stems from a memory leak that could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. This weakness allows attackers to cause increased memory consumption and potential denial of service under certain conditions.

This vulnerability affects specific versions of the package and can result in denial of service. Details on affected versions and reproduction steps are provided below.

Details

Module Info


Affected packages: Node.js

Affected versions: 4.0 < 18.20.6, 20 < 20.18.2

GitHub repository: https://github.com/nodejs/node

Published packages: https://github.com/nodejs/node/releases

Package manager: npm

Fixed in: Node.js NES version 12, 14, 16

Vulnerability Info

The issue stems from a memory leak when a remote peer closes the socket without sending a GOAWAY notification.

For instance, in HTTP/2 Server users on Node.js, if an invalid header is detected, the connection is terminated by the peer, triggering the same leak. This behavior can be exploited by attackers to cause denial of service.

This vulnerability is a result of flawed logic, and may allow attackers to cause increased memory consumption.


- https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

- https://owasp.org/www-community/attacks/Denial_of_Service

Credits


- newtmitch

Mitigation

This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.


- Update to a LTS version of Node.js

- Leverage a commercial support partner like HeroDevs for post-EOL security.

Refer to the NES Documentation for upgrade instructions.

Vulnerability Details
ID
CVE-2025-23085
PROJECT Affected
Node.js
Versions Affected
4.0 < 18.20.6, 20 < 20.18.2
Published date
February 7, 2025
≈ Fix date
April 30, 2025
Fixed in
Severity
Medium
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Node.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.