SB2026041712 - Debian update for nodejs

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Memory leak (CVE-ID: CVE-2025-23085)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when a remote peer abruptly closes the socket without sending a GOAWAY notification. A remote attacker can force the application to leak memory and perform denial of service attack.

2) Link following (CVE-ID: CVE-2025-55130)

The vulnerability allows a local user to read or modify arbitrary files outside the intended allowed path.

The vulnerability exists due to improper access control in the permission model path restriction handling when processing crafted relative symlink paths. A local user can chain directories and symlinks to read or modify arbitrary files outside the intended allowed path.

The issue affects use of the permission model with --allow-fs-read or --allow-fs-write restrictions.

3) Race condition (CVE-ID: CVE-2025-55131)

The vulnerability allows a remote user to disclose sensitive information or corrupt data.

The vulnerability exists due to a race condition in buffer allocation logic when using the vm module with the timeout option. A remote user can influence workload and timeout behavior to disclose sensitive information or corrupt data.

Exploitation typically requires precise timing or in-process code execution.

4) Improper access control (CVE-ID: CVE-2025-55132)

The vulnerability allows a local user to modify file timestamps.

The vulnerability exists due to improper access control in fs.futimes() when changing file timestamps without expected write-permission checks. A local user can call futimes() to modify file timestamps.

This can reduce the reliability of logs by obscuring activity in read-only directories.

5) Uncaught Exception (CVE-ID: CVE-2025-59465)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in the HTTP/2 server when receiving a malformed HEADERS frame with oversized invalid HPACK data. A remote attacker can send a specially crafted HTTP/2 HEADERS frame to cause a denial of service.

This primarily affects applications that do not attach explicit error handlers to secure sockets.

6) Uncaught Exception (CVE-ID: CVE-2025-59466)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in async_hooks error handling when deep recursion occurs with async_hooks.createHook() enabled. A remote attacker can trigger deep recursion to cause a denial of service.

Applications using AsyncLocalStorage or async_hooks.createHook() are affected under specific conditions.

7) Path manipulation (CVE-ID: CVE-2026-21637)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.

Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.

Remediation

Install update from vendor's website.

References

• https://lists.debian.org/debian-security-announce/2026/msg00075.html