The article discusses a memory leak vulnerability (CVE-2025-23085) in HTTP/2 servers on specific Node.js versions (v18.x, v20.x, v22.x, v23.x). The issue arises when a remote peer closes a socket unexpectedly, without a GOAWAY message. Additionally, if nghttp2 encounters an invalid header, it triggers a memory leak by terminating the connection. This flaw could result in increased memory usage and possible denial-of-service attacks, posing serious risks to users operating on the affected versions.
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification, leading to increased memory consumption in HTTP/2 servers.
The vulnerability affects multiple Node.js versions (v18.x, v20.x, v22.x, v23.x), presenting a significant risk for HTTP/2 Server users.
If nghttp2 detects an invalid header, it can trigger the same memory leak upon the termination of the connection by the peer, exacerbating service issues.
As a result of this flaw, users may experience potential denial of service due to uncontrolled memory consumption in affected Node.js versions.
Collection
[
|
...
]