{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* SECURITY UPDATE: Node.js zlib denial of service vulnerability\n - debian/patches/CVE-2024-22025.patch: pause stream if outgoing buffer\n is full to prevent resource exhaustion during decompression\n - CVE-2024-22025", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_nodejs/debian10/advisories/2025/clsa-2025_1765905087.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765905087", "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765905087" } ], "tracking": { "current_release_date": "2025-12-16T17:12:01Z", "generator": { "date": "2025-12-16T17:12:01Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1765905087", "initial_release_date": "2025-12-16T17:12:01Z", "revision_history": [ { "date": "2025-12-16T17:12:01Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "Fix CVE(s): CVE-2024-22025" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 10", "product": { "name": "Debian 10", "product_id": "Debian-10", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-nodejs16-nodejs-0:16.20.2-8.amd64", "product": { "name": "alt-nodejs16-nodejs-0:16.20.2-8.amd64", "product_id": "alt-nodejs16-nodejs-0:16.20.2-8.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-nodejs@16.20.2-8?arch=amd64" } } }, { "category": "product_version", "name": "alt-nodejs16-docs-0:16.20.2-8.amd64", "product": { "name": "alt-nodejs16-docs-0:16.20.2-8.amd64", "product_id": "alt-nodejs16-docs-0:16.20.2-8.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-docs@16.20.2-8?arch=amd64" } } }, { "category": "product_version", "name": "alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "product": { "name": "alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "product_id": "alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-nodejs-devel@16.20.2-8?arch=amd64" } } }, { "category": "product_version", "name": "alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64", "product": { "name": "alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64", "product_id": "alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-npm@8.19.4-16.20.2.8?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-nodejs-0:16.20.2-8.amd64 as a component of Debian 10", "product_id": "Debian-10:alt-nodejs16-nodejs-0:16.20.2-8.amd64" }, "product_reference": "alt-nodejs16-nodejs-0:16.20.2-8.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-docs-0:16.20.2-8.amd64 as a component of Debian 10", "product_id": "Debian-10:alt-nodejs16-docs-0:16.20.2-8.amd64" }, "product_reference": "alt-nodejs16-docs-0:16.20.2-8.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64 as a component of Debian 10", "product_id": "Debian-10:alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64" }, "product_reference": "alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64 as a component of Debian 10", "product_id": "Debian-10:alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64" }, "product_reference": "alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64", "relates_to_product_reference": "Debian-10" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-22025", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-10:alt-nodejs16-docs-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-nodejs-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-22025" } ], "release_date": "2024-03-19T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-16T17:11:29.775688Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765905087", "product_ids": [ "Debian-10:alt-nodejs16-docs-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-nodejs-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765905087" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-10:alt-nodejs16-docs-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-nodejs-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-nodejs-devel-0:16.20.2-8.amd64", "Debian-10:alt-nodejs16-npm-0:8.19.4-16.20.2.8.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }