CVE-2025-23085

CWE-401Memory LeakCWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 62.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedFeb 7
Latest updateJul 15

Description

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+19
Alpinenodejs< 22.13.1-r0+2
Debiannodejs< 12.22.12~dfsg-1~deb11u6+2

🔴Vulnerability Details

4
OSV
CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification2025-02-07
GHSA
GHSA-qv9x-c8c9-rpr8: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification2025-02-07
CVEList
CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification2025-02-07
OSV
CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification2025-02-07

📋Vendor Advisories

3
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Node.js) — CVE-2025-230852025-07-15
Red Hat
nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap2025-01-21
Debian
CVE-2025-23085: nodejs - A memory leak could occur when a remote peer abruptly closes the socket without ...2025
CVE-2025-23085 (MEDIUM CVSS 5.3) | A memory leak could occur when a re | cvebase.io