Vulners
Lucene search
Node.js 20.x < 20.19.2 / 22.x < 22.15.1 / 22.x < 22.15.1 / 23.x < 23.11.1 / 24.x < 24.0.2 Multiple Vulnerabilities (Wednesday, May 14, 2025 Security Releases).
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(236766);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/12");
script_cve_id("CVE-2025-23165", "CVE-2025-23166", "CVE-2025-23167");
script_xref(name:"IAVB", value:"2025-B-0079-S");
script_name(english:"Node.js 20.x < 20.19.2 / 22.x < 22.15.1 / 22.x < 22.15.1 / 23.x < 23.11.1 / 24.x < 24.0.2 Multiple Vulnerabilities (Wednesday, May 14, 2025 Security Releases).");
script_set_attribute(attribute:"synopsis", value:
"Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Node.js installed on the remote host is prior to 20.19.2, 22.15.1, 22.15.1, 23.11.1, 24.0.2. It is,
therefore, affected by multiple vulnerabilities as referenced in the Wednesday, May 14, 2025 Security Releases advisory.
- In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a
UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results
in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to
a denial of service. Impact: Thank you, to Justin Nietzel for reporting and fixing this vulnerability.
(CVE-2025-23165)
- The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied
inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations
are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely
crash a Node.js runtime. Impact: Thank you, @panva and @tniessen, for reporting and fixing this
vulnerability. (CVE-2025-23166)
- A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of
the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-
based access controls and submit unauthorized requests. The issue was resolved by upgrading llhttp to
version 9, which enforces correct header termination. Impact: Thank you, to kenballus for reporting this
vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-23167)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://nodejs.org/en/blog/vulnerability/may-2025-security-releases/");
script_set_attribute(attribute:"solution", value:
"Upgrade to Node.js version 20.19.2 / 22.15.1 / 22.15.1 / 23.11.1 / 24.0.2 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-23165");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/14");
script_set_attribute(attribute:"patch_publication_date", value:"2025/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nodejs_win_installed.nbin", "nodejs_installed_nix.nbin", "macosx_nodejs_installed.nbin");
script_require_keys("installed_sw/Node.js");
exit(0);
}
include('vcf.inc');
var win_local = FALSE;
var os = get_kb_item_or_exit('Host/OS');
if ('windows' >< tolower(os)) win_local = TRUE;
var app_info = vcf::get_app_info(app:'Node.js', win_local:win_local);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_all_backporting(app_info:app_info);
var constraints = [
{ 'min_version' : '20.0.0', 'fixed_version' : '20.19.2' },
{ 'min_version' : '22.0.0', 'fixed_version' : '22.15.1' },
{ 'min_version' : '22..0', 'fixed_version' : '22.15.1' },
{ 'min_version' : '23.0.0', 'fixed_version' : '23.11.1' },
{ 'min_version' : '24.0.0', 'fixed_version' : '24.0.2' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Aug 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 37.5
EPSS0.0056
SSVC