Tuesday, January 21, 2025 Security Releases
The Node.js Project
Security releases available
Updates are now available for the 23.x, 22.x, 20.x, 18.x Node.js release lines for the following issues.
This security release includes the following dependency updates to address public vulnerabilities:
- undici (v7.2.3, v6.21.1, v5.28.5) on v23.x, v22.x, v20.x, v18.x.
Along with the security fixes, the Node.js team has also issued CVEs for End-of-Life (EOL) versions of Node.js.
- Node.js v17.x or prior CVE-2025-23087
- Node.js v19.x CVE-2025-23088
- Node.js v21.x CVE-2025-23089
More information in this blog post
Worker permission bypass via InternalWorker leak in diagnostics (CVE-2025-23083) - (high)
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.
This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
Impact:
- This vulnerability affects all users in active release lines: 20.x, 22.x, 23.x
Thank you, to leodog896 for reporting this vulnerability and thank you RafaelGSS for fixing it.
Path traversal by drive name in Windows environment (CVE-2025-23084) - (medium)
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of path.join API.
Impact:
- This vulnerability affects all users in active release lines: 18.x, 20.x, 22.x, 23.x
Thank you, to taise for reporting this vulnerability and thank you tniessen for fixing it.
GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085) - (medium)
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
Impact:
- This vulnerability affects all users in active release lines: 18.x, 20.x, 22.x, 23.x
Thank you, to newtmitch for reporting this vulnerability and thank you RafaelGSS for fixing it.
Downloads and release details
Summary
The Node.js project will release new versions of the 23.x, 22.x, 20.x, 18.x releases lines on or shortly after, Tuesday, January 21, 2025 in order to address:
- 1 high severity issues.
- 2 medium severity issues.
Impact
The 23.x release line of Node.js is vulnerable to 1 high severity issues, 2 medium severity issues. The 22.x release line of Node.js is vulnerable to 1 high severity issues, 2 medium severity issues. The 20.x release line of Node.js is vulnerable to 1 high severity issues, 2 medium severity issues. The 18.x release line of Node.js is vulnerable to 2 medium severity issues.
It's important to note that End-of-Life versions are always affected when a security release occurs. To ensure your system's security, please use an up-to-date version as outlined in our Release Schedule.
Release timing
Releases will be available on, or shortly after, Tuesday, January 21, 2025.
Contact and future updates
The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.