| Package | nodejs |
|---|---|
| Version | 10.24.0~dfsg-1~deb10u8 (buster) |
| Related CVEs | CVE-2025-59465 CVE-2026-21637 CVE-2026-21714 |
Multiple vulnerabilities were discovered in Node.js, which could result in denial of service.
CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`.
Instead of safely closing the connection, the process crashes, enabling a remote denial of service.
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server.
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level)
that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame,
but the Http2Session object is never cleaned up.For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u8.
We recommend that you upgrade your nodejs packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.