
CVE-2025-23165 – nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS
https://notcve.org/view.php?id=CVE-2025-23165
19 May 2025 — In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22. A flaw was found in the ReadFileUtf8 internal binding of Node.... • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases • CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2025-23166 – nodejs: Remote Crash via SignTraits::DeriveBits() in Node.js
https://notcve.org/view.php?id=CVE-2025-23166
19 May 2025 — The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits(). This vulnerability can allow a remote attacker to crash the Node.js runtime via untrust... • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases • CWE-248: Uncaught Exception •

CVE-2025-23085 – nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap
https://notcve.org/view.php?id=CVE-2025-23085
07 Feb 2025 — A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. A vulnerability was found in NodeJS when handling HTTP/2 co... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2025-23084
https://notcve.org/view.php?id=CVE-2025-23084
28 Jan 2025 — A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API. • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-23083 – nodejs: Node.js Worker Thread Exposure via Diagnostics Channel
https://notcve.org/view.php?id=CVE-2025-23083
22 Jan 2025 — With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. A flaw was found in the Node.js diagnostics_channel. This vulnerability allows an attacker to reinstate and misuse work... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •

CVE-2025-23090
https://notcve.org/view.php?id=CVE-2025-23090
22 Jan 2025 — With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. • https://hackerone.com/reports/2575105 • CWE-284: Improper Access Control •

CVE-2024-27980
https://notcve.org/view.php?id=CVE-2024-27980
09 Jan 2025 — Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • http://www.openwall.com/lists/oss-security/2024/04/10/15 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVE-2024-37372 – Gentoo Linux Security Advisory 202505-11
https://notcve.org/view.php?id=CVE-2024-37372
09 Jan 2025 — The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. Multiple vulnerabilities have been discovered in Node.js, the worst of which could lead to execution of arbitrary code. Versions greater than or equal to 22.4.1 are affected. • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2024-36138
https://notcve.org/view.php?id=CVE-2024-36138
07 Sep 2024 — Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVE-2024-36137 – nodejs: fs.fchown/fchmod bypasses permission model
https://notcve.org/view.php?id=CVE-2024-36137
07 Sep 2024 — A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on fil... • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-732: Incorrect Permission Assignment for Critical Resource •