BIT-node-2025-23085

BIT-node-2025-23085 PUBLISHED CVSS 5.300000190734863 MEDIUM

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

Risk Scores

CVSS v3.0

5.300000190734863

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products

Vendor	Product	Versions
Bitnami	node	0, 19.0.0, 21.0.0

Timeline

Feb 11, 2025 CVE Published
Nov 6, 2025 CVE Updated

References

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases url
https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html url
https://nvd.nist.gov/vuln/detail/CVE-2025-23085 url
https://security.netapp.com/advisory/ntap-20250321-0003/ url

Open in Interactive Console →