CVE-2025-23085 in Node.js
Summary
by MITRE • 02/07/2025
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/16/2025
The vulnerability identified as CVE-2025-23085 represents a critical memory management issue within the HTTP/2 server implementation of Node.js versions 18.x, 20.x, 22.x, and 23.x. This flaw manifests when the server encounters specific connection termination scenarios that result in improper memory cleanup. The vulnerability stems from the nghttp2 library's handling of connection states where memory allocated for processing HTTP/2 frames and connection metadata is not properly released when certain error conditions occur. The root cause lies in the server's failure to account for memory deallocation in edge cases involving abrupt socket closures or invalid header detection, creating a persistent memory leak that accumulates over time. This issue directly maps to CWE-401: Improper Release of Memory and aligns with ATT&CK technique T1499.004: Endpoint Denial of Service, as it can lead to resource exhaustion and system instability.
The technical exploitation of this vulnerability occurs when a remote peer establishes an HTTP/2 connection and then abruptly terminates it without sending the proper GOAWAY frame that signals graceful connection shutdown. Additionally, the flaw is triggered when nghttp2 encounters invalid HTTP/2 headers that cause the connection to be terminated by the peer, which then results in the same memory leak pattern. In both scenarios, the Node.js server fails to properly invoke the cleanup routines that would normally release memory allocated for the connection context, frame buffers, and associated data structures. The memory leak typically manifests as gradual accumulation of heap memory that cannot be reclaimed by the garbage collector, leading to increased memory pressure on the server process. This behavior is particularly concerning in high-traffic environments where multiple connections may be established and terminated rapidly, as the cumulative effect can quickly exhaust available memory resources and lead to process crashes or system instability.
The operational impact of CVE-2025-23085 extends beyond simple memory consumption issues to potentially compromise system availability and performance. Under sustained attack conditions where malicious peers repeatedly establish and abruptly terminate connections, the server will experience progressive memory degradation that can eventually result in denial of service. The vulnerability affects all Node.js versions mentioned in the advisory, making it particularly widespread across modern server deployments that rely on HTTP/2 for performance optimization. Organizations running HTTP/2 servers in production environments are at risk of experiencing increased latency, reduced throughput, and potential application crashes. The memory leak can also interfere with other system processes by consuming excessive resources, potentially causing cascading failures in containerized environments or cloud deployments where resource limits are strictly enforced. This vulnerability directly impacts the reliability of web applications and services that depend on Node.js HTTP/2 server capabilities.
Mitigation strategies for CVE-2025-23085 should prioritize immediate patching of affected Node.js versions to the latest releases that contain the memory management fixes. Organizations should implement monitoring solutions to track memory consumption patterns and detect unusual increases that may indicate the vulnerability exploitation. Network-level mitigations can include connection rate limiting, implementing proper connection lifecycle management, and deploying intrusion detection systems that can identify suspicious connection patterns. The recommended approach involves upgrading to Node.js versions that have addressed the specific memory leak conditions in nghttp2 library handling, particularly focusing on proper cleanup routines for connection termination scenarios. Additionally, administrators should consider implementing connection pooling strategies and connection timeouts to reduce the window of vulnerability exposure. Security teams should also review their incident response procedures to ensure rapid detection and response to memory exhaustion events that could be indicative of this vulnerability being exploited in the wild.