Bug 34278 - nodejs new security issues CVE-2025-2316[5-7]
Summary: nodejs new security issues CVE-2025-2316[5-7]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-05-15 13:56 CEST by Nicolas Salguero
Modified: 2025-05-25 01:26 CEST (History)
2 users (show)

See Also:
Source RPM: nodejs-22.13.1-2.mga9.src.rpm
CVE: CVE-2025-23165, CVE-2025-23166, CVE-2025-23167
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-15 13:56:26 CEST 
Upstream has issued an advisory on May 14:
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
Nicolas Salguero 2025-05-15 13:57:49 CEST

Status comment: (none) => Fixed upstream in 22.15.1
CVE: (none) => CVE-2025-23165, CVE-2025-23166, CVE-2025-23167
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => nodejs-22.13.1-3.mga10.src.rpm, nodejs-22.13.1-2.mga9.src.rpm

Comment 1 Lewis Smith 2025-05-15 21:09:07 CEST 
Fortunately just a version update.
Assigning globally as different packagers deal with nodejs.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-05-23 16:44:18 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. (CVE-2025-23165)

Improper error handling in async cryptographic operations crashes process. (CVE-2025-23166)

Improper HTTP header block termination in llhttp. (CVE-2025-23167)

References:
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
========================

Updated packages in core/updates_testing:
========================
nodejs-22.16.0-1.mga9
nodejs-devel-22.16.0-1.mga9
nodejs-docs-22.16.0-1.mga9
nodejs-libs-22.16.0-1.mga9
npm-10.9.2-1.22.16.0.1.mga9
v8-devel-12.4.254.21.mga9-4.mga9

from SRPM:
nodejs-22.16.0-1.mga9.src.rpm

Source RPM: nodejs-22.13.1-3.mga10.src.rpm, nodejs-22.13.1-2.mga9.src.rpm => nodejs-22.13.1-2.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 22.15.1 => (none)
Assignee: pkg-bugs => qa-bugs

katnatek 2025-05-23 18:31:30 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2025-05-23 20:38:53 CEST 
RH x86_64

installing v8-devel-12.4.254.21.mga9-4.mga9.x86_64.rpm nodejs-22.16.0-1.mga9.x86_64.rpm nodejs-devel-22.16.0-1.mga9.x86_64.rpm npm-10.9.2-1.22.16.0.1.mga9.x86_64.rpm nodejs-libs-22.16.0-1.mga9.x86_64.rpm nodejs-docs-22.16.0-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/6: nodejs-libs           ##################################################################################################
      2/6: npm                   ##################################################################################################
      3/6: nodejs                ##################################################################################################
      4/6: nodejs-devel          ##################################################################################################
      5/6: v8-devel              ##################################################################################################
      6/6: nodejs-docs           ##################################################################################################
      1/6: removing v8-devel-2:12.4.254.21.mga9-2.mga9.x86_64
                                 ##################################################################################################
      2/6: removing nodejs-devel-1:22.13.1-2.mga9.x86_64
                                 ##################################################################################################
      3/6: removing nodejs-docs-1:22.13.1-2.mga9.noarch
                                 ##################################################################################################
      4/6: removing nodejs-1:22.13.1-2.mga9.x86_64
                                 ##################################################################################################
      5/6: removing npm-1:10.9.2-1.22.13.1.2.mga9.x86_64
                                 ##################################################################################################
      6/6: removing nodejs-libs-1:22.13.1-2.mga9.x86_64
                                 ##################################################################################################

npm install express5
npm warn deprecated string-similarity@4.0.4: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 50 packages, and audited 51 packages in 4s

4 packages are looking for funding
  run `npm fund` for details

4 low severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
npm notice
npm notice New major version of npm available! 10.9.2 -> 11.4.1
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.4.1
npm notice To update run: npm install -g npm@11.4.1
npm notice

npm ls
qatest@ /home/katnatek/qatest
└── express5@1.0.0

node server.js
Server running at http://127.0.0.1:3000/

http://127.0.0.1:3000/

Shows: Hello World

node
Welcome to Node.js v22.16.0.
Type ".help" for more information.
> 1+1
2
> a=2
2
> b=4
4
> a*b
8
> a+b
6

Looks good

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-05-24 20:21:32 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-05-25 01:26:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0161.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.