Memory Leak in HTTP/2 Server on Node.js Affects Multiple Versions
CVE-2025-23085

5.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 7 February 2025

What is CVE-2025-23085?

A memory leak may occur in the HTTP/2 Server component of Node.js when a remote peer unexpectedly closes a socket without issuing a GOAWAY notification. This issue can also be triggered if an invalid header is detected by nghttp2, resulting in connection termination. These scenarios could contribute to increased memory usage, ultimately leading to potential denial of service under certain operational conditions, thereby impacting application performance.

Affected Version(s)

node 18.20.5

node 20.18.1

node 22.13.0

References

https://nodejs.org/en/blog/vulnerability/january-2025-sec...

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Jan 10, 2025

Nodejs

What is CVE-2025-23085?

Affected Version(s)

References

CVSS V3.0

Timeline