Search for vulnerabilities
Vulnerability details: VCID-k9se-mw48-cucj
Vulnerability ID VCID-k9se-mw48-cucj
Aliases CVE-2025-23085
Summary A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-400 Uncontrolled Resource Consumption
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23085.json
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00082 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2025-23085
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 5.3 https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
ssvc Track https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23085.json
https://api.first.org/data/v1/epss?cve=CVE-2025-23085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23085
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://lists.debian.org/debian-lts-announce/2025/02/msg00031.html
1094134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094134
2342618 https://bugzilla.redhat.com/show_bug.cgi?id=2342618
CVE-2025-23085 https://nvd.nist.gov/vuln/detail/CVE-2025-23085
january-2025-security-releases https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
RHSA-2025:1351 https://access.redhat.com/errata/RHSA-2025:1351
RHSA-2025:1443 https://access.redhat.com/errata/RHSA-2025:1443
RHSA-2025:1446 https://access.redhat.com/errata/RHSA-2025:1446
RHSA-2025:1582 https://access.redhat.com/errata/RHSA-2025:1582
RHSA-2025:1611 https://access.redhat.com/errata/RHSA-2025:1611
RHSA-2025:1613 https://access.redhat.com/errata/RHSA-2025:1613
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23085.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-07T15:50:24Z/ Found at https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Exploit Prediction Scoring System (EPSS)
Percentile 0.2366
EPSS Score 0.00077
Published At Aug. 4, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:47:15.663974+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.22/main.json 37.0.0