openEuler 24.03 LTS SP1 update for nodejs



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2025-23084
CVE-2025-23085
CWE-ID CWE-22
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software
 openEuler
Operating systems & Components / Operating system

nodejs-docs
Operating systems & Components / Operating system package or component

v8-devel
Operating systems & Components / Operating system package or component

npm
Operating systems & Components / Operating system package or component

nodejs-libs
Operating systems & Components / Operating system package or component

nodejs-full-i18n
Operating systems & Components / Operating system package or component

nodejs-devel
Operating systems & Components / Operating system package or component

nodejs-debugsource
Operating systems & Components / Operating system package or component

nodejs-debuginfo
Operating systems & Components / Operating system package or component

nodejs
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU103223

Risk: Low

CVSSv4.0: 5.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-23084

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to input validation error in path.join API when processing drive names in the Windows environment. A local user with ability to alter Windows drive names can escalate privileges on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 24.03 LTS SP1

nodejs-docs: before 20.18.2-1

v8-devel: before 11.3.244.8-1.20.18.2.1

npm: before 10.8.2-1.20.18.2.1

nodejs-libs: before 20.18.2-1

nodejs-full-i18n: before 20.18.2-1

nodejs-devel: before 20.18.2-1

nodejs-debugsource: before 20.18.2-1

nodejs-debuginfo: before 20.18.2-1

nodejs: before 20.18.2-1

CPE2.3 External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1091


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU103225

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-23085

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when a remote peer abruptly closes the socket without sending a GOAWAY notification. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 24.03 LTS SP1

nodejs-docs: before 20.18.2-1

v8-devel: before 11.3.244.8-1.20.18.2.1

npm: before 10.8.2-1.20.18.2.1

nodejs-libs: before 20.18.2-1

nodejs-full-i18n: before 20.18.2-1

nodejs-devel: before 20.18.2-1

nodejs-debugsource: before 20.18.2-1

nodejs-debuginfo: before 20.18.2-1

nodejs: before 20.18.2-1

CPE2.3 External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1091


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###