From: Anil Dongare <[email protected]> Upstream Repository: https://github.com/nodejs/node.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-59465 Type: Security Fix CVE: CVE-2025-59465 Score: 7.5 Patch: https://github.com/nodejs/node/commit/eb8e41f8dbe6 Signed-off-by: Anil Dongare <[email protected]> --- .../nodejs/nodejs/CVE-2025-59465.patch | 49 +++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_20.18.2.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-59465.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-59465.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-59465.patch new file mode 100644 index 0000000000..81d64609c3 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-59465.patch @@ -0,0 +1,49 @@ +From 27ddb91569c1bd9c72dbc557e53458b9ebfbc573 Mon Sep 17 00:00:00 2001 +From: RafaelGSS <[email protected]> +Date: Fri, 31 Oct 2025 16:27:48 -0300 +Subject: [PATCH 5/6] lib: add TLSSocket default error handler + +This prevents the server from crashing due to an unhandled rejection +when a TLSSocket connection is abruptly destroyed during initialization +and the user has not attached an error handler to the socket. +e.g: + +```js +const server = http2.createSecureServer({ ... }) +server.on('secureConnection', socket => { + socket.on('error', err => { + console.log(err) + }) +}) +``` + +PR-URL: https://github.com/nodejs-private/node-private/pull/797 +Fixes: https://github.com/nodejs/node/issues/44751 +Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404 +Reviewed-By: Matteo Collina <[email protected]> +Reviewed-By: Anna Henningsen <[email protected]> +CVE-ID: CVE-2025-59465 + +CVE: CVE-2025-59465 +Upstream-Status: Backport [https://github.com/nodejs/node/commit/eb8e41f8dbe6] + +(cherry picked from commit eb8e41f8dbe6de127fb11baca725e1b469612434) +Signed-off-by: Anil Dongare <[email protected]> +--- + lib/_tls_wrap.js | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js +index c3e48a6cbc8..d9c7e32174d 100644 +--- a/lib/_tls_wrap.js ++++ b/lib/_tls_wrap.js +@@ -1268,6 +1268,7 @@ function tlsConnectionListener(rawSocket) { + socket[kErrorEmitted] = false; + socket.on('close', onSocketClose); + socket.on('_tlsError', onSocketTLSError); ++ socket.on('error', onSocketTLSError); + } + + // AUTHENTICATION MODES +-- +2.43.7 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb index 68eb40bc1d..b1c9057557 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb @@ -33,6 +33,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://CVE-2025-55130.patch \ file://CVE-2025-59466.patch \ file://CVE-2026-21637.patch \ + file://CVE-2025-59465.patch \ " SRC_URI:append:class-target = " \ file://0001-Using-native-binaries.patch \ -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124352): https://lists.openembedded.org/g/openembedded-devel/message/124352 Mute This Topic: https://lists.openembedded.org/mt/117772149/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
