CVE-2025-23085

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-23085

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23085.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-23085

Aliases

Downstream

ALPINE-CVE-2025-23085

BELL-CVE-2025-23085

DEBIAN-CVE-2025-23085

DLA-4067-1

ECHO-5e31-886e-c1fc

MINI-2g97-m6gp-fvc3

MINI-3gcw-gf22-m559

MINI-5c28-v3x8-5v3p

MINI-h25r-jrqq-hm9q

OESA-2025-1090

OESA-2025-1091

OESA-2025-1274

OESA-2025-1275

OESA-2025-1276

RHSA-2025:1351

RHSA-2025:1443

RHSA-2025:1446

RHSA-2025:1582

RHSA-2025:1611

RHSA-2025:1613

RLSA-2025:1446

RLSA-2025:1613

SUSE-SU-2025:0232-1

SUSE-SU-2025:0233-1

SUSE-SU-2025:0234-1

SUSE-SU-2025:0237-1

SUSE-SU-2025:0284-1

UBUNTU-CVE-2025-23085

openSUSE-SU-2025:14706-1

Related

Published

2025-02-07T07:15:15Z

Modified

2025-08-09T19:01:29Z

Summary

[none]

Details

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.

This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

References

Affected packages