The update, released on May 14, 2025, addresses three main CVEs, each with varying severity and potential impact on production environments.
The most urgent fix addresses a high-severity vulnerability in the handling of asynchronous cryptographic operations.
The flaw, present in the C++ method SignTraits::DeriveBits(), could allow attackers to remotely crash a Node.js process by exploiting improper error handling when cryptographic operations are performed on untrusted inputs.
This could result in a denial of service, potentially taking down critical services that rely on Node.js for backend processing. All users on active release lines are affected and are strongly urged to update immediately.
A medium-severity issue was found in the llhttp HTTP parser, where improper termination of HTTP/1 headers could allow attackers to bypass proxy-based access controls using request smuggling techniques.
The vulnerability, which affects Node.js 20.x versions prior to the llhttp v9 upgrade, has been addressed by updating llhttp to version 9.2.0.
This change enforces correct header termination and closes off avenues for unauthorized requests 24.
Rounding out the update is a low-severity memory leak in the node::fs::ReadFileUtf8 function.
When the first argument is a string, a corrupted pointer could lead to unrecoverable memory leaks on every call, eventually exhausting system memory and causing a denial of service.
This issue affects APIs dependent on ReadFileUtf8 in Node.js v20 and v22 and has been resolved by ensuring proper cleanup with uv_fs_req_cleanu.
Node.js users are strongly advised to upgrade to the latest patched versions to mitigate these vulnerabilities.
Installers and binaries for all major platforms are available on the official Node.js website. Keeping Node.js up to date is essential for maintaining operational security and reliability.
For more details, consult the Node.js security policy and subscribe to security announcements to stay informed about future updates.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Critical Node.js Flaw Lets Attackers Crash Applications and Disrupt Services appeared first on Cyber Security News.
Robotics I’ve Covered Robots for Years. This One Is DifferentWill Knight | Wired ($) “Eka’s…
Today's links The prehistory of the Democratic Nuremberg Caucus: Do bounties for ICE whistleblowers next!…
After four years of reflection and artistic evolution, India Shawn returns with Subject To Change a…
An Osprey brings in a branch to build their nest. | Bill Schiess, EastIdahoNews.com Watching…
EastIdahoNews.com file photo, Oct. 2025 The following is a news release from the city of…
ST. ANTHONY – A biker was injured in a traffic accident along U.S. Highway 20…
This website uses cookies.