CVE-2025-23085: 
npm vulnerability analysis and mitigation

A vulnerability tracked as CVE-2025-23085 was discovered in NodeJS when handling HTTP/2 connections. The issue occurs when a remote peer abruptly closes the socket without sending a proper GOAWAY notification, or when an invalid header is detected by nghttp2 causing the connection to be terminated by the peer. This vulnerability affects HTTP/2 Server users on Node.js versions v18.x, v20.x, v22.x and v23.x, and was disclosed in January 2025 (NodeJS Blog).

The vulnerability is classified as medium severity with a CVSS v3.0 base score of 5.3. The vulnerability vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating it can be exploited remotely with low attack complexity, requires no privileges or user interaction, and has a low impact on availability. The core issue involves a memory leak that occurs outside the heap when handling HTTP/2 connections (Red Hat CVE).

When exploited, this vulnerability can lead to increased memory consumption and potential denial of service under certain conditions. The flaw allows an attacker to force the targeted process in the targeted host to an uncontrollable resource consumption state, potentially starving the process and other processes running on the same host due to memory starvation (Red Hat CVE).

The vulnerability has been fixed in the following Node.js versions: v18.20.6, v20.18.2, v22.13.1, and v23.6.1. Users are strongly advised to upgrade to these patched versions. There are no alternative mitigations available other than updating to the package version which contains the fix (NodeJS Blog, Red Hat CVE).