CVE-2025-23085

NONE EPSS 66.5%
Published Feb 7, 20251y ago · Modified Jun 17, 20262w ago
Find Similar
Published Feb 7, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

Threat Intelligence

EPSS Exploit Probability
66.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-401

References 3

  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html
  • nodejs.org https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
  • security.netapp.com https://security.netapp.com/advisory/ntap-20250321-0003/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.