Security update for nodejs20 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02045-1 Final 1 1 2025-06-20T11:04:00Z current 2025-06-20T11:04:00Z 2025-06-20T11:04:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs20 This update for nodejs20 fixes the following issues: Update to 20.19.2: - CVE-2025-23166: improper error handling in async cryptographic operations crashes process (bsc#1243218). - CVE-2025-23167: improper HTTP header block termination in llhttp (bsc#1243220). - CVE-2025-23165: add missing call to uv_fs_req_cleanup (bsc#1243217). Other bugfixes: - Build with PIE (bsc#1239949) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2045,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2045,openSUSE-SLE-15.6-2025-2045 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502045-1/ Link for SUSE-SU-2025:02045-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040401.html E-Mail link for SUSE-SU-2025:02045-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1239949 SUSE Bug 1239949 https://bugzilla.suse.com/1243217 SUSE Bug 1243217 https://bugzilla.suse.com/1243218 SUSE Bug 1243218 https://bugzilla.suse.com/1243220 SUSE Bug 1243220 https://www.suse.com/security/cve/CVE-2025-23165/ SUSE CVE CVE-2025-23165 page https://www.suse.com/security/cve/CVE-2025-23166/ SUSE CVE CVE-2025-23166 page https://www.suse.com/security/cve/CVE-2025-23167/ SUSE CVE CVE-2025-23167 page SUSE Linux Enterprise Module for Web and Scripting 15 SP6 openSUSE Leap 15.6 corepack20-20.19.2-150600.3.12.1 nodejs20-20.19.2-150600.3.12.1 nodejs20-devel-20.19.2-150600.3.12.1 nodejs20-docs-20.19.2-150600.3.12.1 npm20-20.19.2-150600.3.12.1 nodejs20-20.19.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 nodejs20-devel-20.19.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 nodejs20-docs-20.19.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 npm20-20.19.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 corepack20-20.19.2-150600.3.12.1 as a component of openSUSE Leap 15.6 nodejs20-20.19.2-150600.3.12.1 as a component of openSUSE Leap 15.6 nodejs20-devel-20.19.2-150600.3.12.1 as a component of openSUSE Leap 15.6 nodejs20-docs-20.19.2-150600.3.12.1 as a component of openSUSE Leap 15.6 npm20-20.19.2-150600.3.12.1 as a component of openSUSE Leap 15.6 In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22. CVE-2025-23165 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-devel-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-docs-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:npm20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:corepack20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-devel-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-docs-20.19.2-150600.3.12.1 openSUSE Leap 15.6:npm20-20.19.2-150600.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502045-1/ https://www.suse.com/security/cve/CVE-2025-23165.html CVE-2025-23165 https://bugzilla.suse.com/1243217 SUSE Bug 1243217 The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. CVE-2025-23166 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-devel-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-docs-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:npm20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:corepack20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-devel-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-docs-20.19.2-150600.3.12.1 openSUSE Leap 15.6:npm20-20.19.2-150600.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502045-1/ https://www.suse.com/security/cve/CVE-2025-23166.html CVE-2025-23166 https://bugzilla.suse.com/1243218 SUSE Bug 1243218 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. CVE-2025-23167 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-devel-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:nodejs20-docs-20.19.2-150600.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:npm20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:corepack20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-devel-20.19.2-150600.3.12.1 openSUSE Leap 15.6:nodejs20-docs-20.19.2-150600.3.12.1 openSUSE Leap 15.6:npm20-20.19.2-150600.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502045-1/ https://www.suse.com/security/cve/CVE-2025-23167.html CVE-2025-23167 https://bugzilla.suse.com/1243220 SUSE Bug 1243220