CVE-2025-23085
NONE EPSS 66.5%
Published Feb 7, 20251y ago · Modified Jun 17, 20262w ago
Published Feb 7, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
Threat Intelligence
EPSS Exploit Probability
66.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-401
References 3
- lists.debian.org https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html
- nodejs.org https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
- security.netapp.com https://security.netapp.com/advisory/ntap-20250321-0003/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.