Red Hat Security Advisory: nodejs:18 security update
Red Hat issued a moderate severity security advisory for the nodejs:18 module addressing two vulnerabilities: CVE-2025-22150, where the undici HTTP client uses insufficiently random values, and CVE-2025-23085, where GOAWAY HTTP/2 frames cause a memory leak outside the heap. These issues affect Red Hat Enterprise Linux 8 variants. The advisory includes updated packages to fix these vulnerabilities.
AI Analysis
Technical Summary
This advisory covers two security vulnerabilities in the Red Hat build of Node.js 18. The first, CVE-2025-22150, involves the undici HTTP client component using insufficiently random values, which relates to CWE-330 (Insufficient Entropy). The second, CVE-2025-23085, concerns a memory leak caused by GOAWAY HTTP/2 frames outside the heap, linked to CWE-400 (Uncontrolled Resource Consumption). Red Hat has released updated packages for multiple architectures of Red Hat Enterprise Linux 8 to address these issues.
Potential Impact
The vulnerabilities may lead to security weaknesses due to insufficient randomness in undici, potentially affecting cryptographic or security-related operations, and a memory leak triggered by specific HTTP/2 frames, which could degrade system stability or availability. The advisory rates the overall impact as moderate.
Mitigation Recommendations
Red Hat has released updated nodejs:18 packages for Red Hat Enterprise Linux 8 and its variants that fix these vulnerabilities. Users should apply the security update as detailed in the Red Hat advisory (RHSA-2025:1582) and the linked update instructions at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official update.
Red Hat Security Advisory: nodejs:18 security update
Description
Red Hat issued a moderate severity security advisory for the nodejs:18 module addressing two vulnerabilities: CVE-2025-22150, where the undici HTTP client uses insufficiently random values, and CVE-2025-23085, where GOAWAY HTTP/2 frames cause a memory leak outside the heap. These issues affect Red Hat Enterprise Linux 8 variants. The advisory includes updated packages to fix these vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This advisory covers two security vulnerabilities in the Red Hat build of Node.js 18. The first, CVE-2025-22150, involves the undici HTTP client component using insufficiently random values, which relates to CWE-330 (Insufficient Entropy). The second, CVE-2025-23085, concerns a memory leak caused by GOAWAY HTTP/2 frames outside the heap, linked to CWE-400 (Uncontrolled Resource Consumption). Red Hat has released updated packages for multiple architectures of Red Hat Enterprise Linux 8 to address these issues.
Potential Impact
The vulnerabilities may lead to security weaknesses due to insufficient randomness in undici, potentially affecting cryptographic or security-related operations, and a memory leak triggered by specific HTTP/2 frames, which could degrade system stability or availability. The advisory rates the overall impact as moderate.
Mitigation Recommendations
Red Hat has released updated nodejs:18 packages for Red Hat Enterprise Linux 8 and its variants that fix these vulnerabilities. Users should apply the security update as detailed in the Red Hat advisory (RHSA-2025:1582) and the linked update instructions at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2025:1582
- Cve Count
- 2
- Additional Cves
- ["CVE-2025-23085"]
- Cvss Version
- null
Threat ID: 6a419cb527e9c79719abcedc
Added to database: 06/28/2026, 22:14:13 UTC
Last enriched: 06/28/2026, 22:30:16 UTC
Last updated: 07/01/2026, 04:51:10 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.