Debian Nodejs vulnerabilities

CVE-2026-21637 [HIGH] CVE-2026-21637: nodejs - A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust... A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventuall

CVE-2026-21710 [HIGH] CVE-2026-21710: nodejs - A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a re... A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside

CVE-2026-21717 [MEDIUM] CVE-2026-21717: nodejs - A flaw in V8's string hashing mechanism causes integer-like strings to be hashed... A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON

CVE-2026-21713 [MEDIUM] CVE-2026-21713: nodejs - A flaw in Node.js HMAC verification uses a non-constant-time comparison when val... A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js al

CVE-2026-21714 [MEDIUM] CVE-2026-21714: nodejs - A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE... A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25. Scope: local b

CVE-2026-21636 [CRITICAL] CVE-2026-21636: nodejs - A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections... A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permissio

CVE-2026-21712 [MEDIUM] CVE-2026-21712: nodejs - A flaw in Node.js URL processing causes an assertion failure in native code when... A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2026-21716 [LOW] CVE-2026-21716: nodejs - An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle... An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` met

CVE-2026-21711 [MEDIUM] CVE-2026-21711: nodejs - A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket... A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the

CVE-2026-21715 [LOW] CVE-2026-21715: nodejs - A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSyn... A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targ

CVE-2025-59465 [HIGH] CVE-2025-59465: nodejs - A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can caus... A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:

CVE-2025-55131 [HIGH] CVE-2025-55131: nodejs - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when... A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like

CVE-2025-59466 [HIGH] CVE-2025-59466: nodejs - We have identified a bug in Node.js error handling where "Maximum call stack siz... We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22

CVE-2025-23166 [HIGH] CVE-2025-23166: nodejs - The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() ba... The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Scope: local bookworm: open bu

CVE-2025-23085 [MEDIUM] CVE-2025-23085: nodejs - A memory leak could occur when a remote peer abruptly closes the socket without ... A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. Thi

CVE-2025-47153 [MEDIUM] CVE-2025-47153: nodejs - Certain build processes for libuv and Node.js for 32-bit systems, such as for th... Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), lea

CVE-2025-23084 [MEDIUM] CVE-2025-23084: nodejs - A vulnerability has been identified in Node.js, specifically affecting the handl... A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is tre

CVE-2025-23083 [HIGH] CVE-2025-23083: nodejs - With the aid of the diagnostics_channel utility, an event can be hooked into whe... With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Nod

CVE-2025-27209 [HIGH] CVE-2025-27209: nodejs - The V8 release used in Node.js v24.0.0 has changed how string hashes are compute... The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x use

CVE-2025-59464 [HIGH] CVE-2025-59464: nodejs - A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` ce... A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exha