Medium severity5.3NVD Advisory· Published Feb 7, 2025· Updated Apr 15, 2026

CVE-2025-23085

Description

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.

This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.debian.org/debian-lts-announce/2025/02/msg00031.htmlnvd
nodejs.org/en/blog/vulnerability/january-2025-security-releasesnvd
security.netapp.com/advisory/ntap-20250321-0003/nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000