{
  "threat_severity" : "Moderate",
  "public_date" : "2025-01-21T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap",
    "id" : "2342618",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2342618"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.", "A vulnerability was found in NodeJS when handling HTTP/2 connections, where the remote peer abruptly closes the socket without sending the proper HTTP/2 notification to the server, leading to a memory leak. This flaw allows an attacker to force the targeted process in the targeted host to an uncontrollable resource consumption state, starving the process and possibly other processes running at the same host to memory starvation, leading to a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-02-12T00:00:00Z",
    "advisory" : "RHSA-2025:1351",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:20-8100020250203134842.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-02-17T00:00:00Z",
    "advisory" : "RHSA-2025:1582",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:18-8100020250207121904.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-02-17T00:00:00Z",
    "advisory" : "RHSA-2025:1611",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:22-8100020250130144944.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-02-13T00:00:00Z",
    "advisory" : "RHSA-2025:1443",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:20-9050020250130114516.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-02-13T00:00:00Z",
    "advisory" : "RHSA-2025:1446",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:18-9050020250206154514.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-02-17T00:00:00Z",
    "advisory" : "RHSA-2025:1613",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:22-9050020250131131518.rhel9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "nodejs22",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23085\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23085\nhttps://nodejs.org/pt/blog/vulnerability/january-2025-security-releases" ],
  "name" : "CVE-2025-23085",
  "mitigation" : {
    "value" : "There's no available mitigation for this issue other than updating to the package version which contains the fix.",
    "lang" : "en:us"
  },
  "csaw" : false
}