CVE-2025-23085
📋 TL;DR
A memory leak vulnerability in Node.js HTTP/2 server occurs when remote peers abruptly close connections without proper GOAWAY notifications or when invalid headers cause connection termination. This leads to increased memory consumption and potential denial of service. Affects Node.js v18.x, v20.x, v22.x, and v23.x HTTP/2 server users.
💻 Affected Systems
- Node.js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust server memory, causing complete denial of service and potential system instability.
Likely Case
Gradual memory consumption increase under heavy HTTP/2 traffic, potentially degrading performance over time.
If Mitigated
Minimal impact with proper monitoring and restart procedures in place.
🎯 Exploit Status
Exploitation requires ability to establish HTTP/2 connections and trigger specific connection termination scenarios.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js v18.21.3, v20.17.1, v22.12.1, v23.6.1
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Restart Required: Yes
Instructions:
1. Check current Node.js version with 'node --version'. 2. Update to patched version using your package manager (npm, apt, yum). 3. Restart all Node.js applications using HTTP/2 server functionality.
🔧 Temporary Workarounds
Disable HTTP/2 Server
allDisable HTTP/2 functionality if not required, falling back to HTTP/1.x
Modify Node.js application to not use http2.createServer() or disable HTTP/2 in server configuration
Implement Connection Limits
allLimit concurrent HTTP/2 connections to reduce potential memory impact
Implement connection limiting middleware or configure reverse proxy limits
🧯 If You Can't Patch
- Implement aggressive memory monitoring and automatic restart policies for Node.js processes
- Use reverse proxy with HTTP/2 termination to shield vulnerable Node.js servers
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is between v18.0.0-18.21.2, v20.0.0-20.17.0, v22.0.0-22.12.0, or v23.0.0-23.6.0 and application uses HTTP/2 serverCheck Version:
node --versionVerify Fix Applied:
Confirm Node.js version is v18.21.3+, v20.17.1+, v22.12.1+, or v23.6.1+📡 Detection & Monitoring
Log Indicators:
- Unusual memory growth patterns in Node.js processes
- HTTP/2 connection resets without GOAWAY frames
- Increased garbage collection activity
Network Indicators:
- Abnormal HTTP/2 connection termination patterns
- Repeated invalid header attempts
SIEM Query:
source="nodejs" AND (event="memory_warning" OR event="process_restart") AND process_name="node"