ALAS2023-2025-1009

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1009
Advisory Released Date: 2025-06-10
Advisory Updated Date: 2025-06-10

Severity: Important

References: CVE-2025-23165 CVE-2025-23166 CVE-2025-47279
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string, resulting in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Info: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low (CVE-2025-23165)

Improper error handling in async cryptographic operations crashes process

Info: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high (CVE-2025-23166)

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails. (CVE-2025-47279)

Affected Packages:

nodejs22

Issue Correction:
Run dnf update nodejs22 --releasever 2023.7.20250609 to update your system.

New Packages:

aarch64:
    nodejs22-libs-debuginfo-22.16.0-1.amzn2023.0.1.aarch64
    nodejs22-devel-22.16.0-1.amzn2023.0.1.aarch64
    nodejs22-full-i18n-22.16.0-1.amzn2023.0.1.aarch64
    nodejs22-debuginfo-22.16.0-1.amzn2023.0.1.aarch64
    nodejs22-22.16.0-1.amzn2023.0.1.aarch64
    nodejs22-libs-22.16.0-1.amzn2023.0.1.aarch64
    v8-12.4-devel-12.4.254.21-1.22.16.0.1.amzn2023.0.1.aarch64
    nodejs22-npm-10.9.2-1.22.16.0.1.amzn2023.0.1.aarch64
    nodejs22-debugsource-22.16.0-1.amzn2023.0.1.aarch64

noarch:
    nodejs22-docs-22.16.0-1.amzn2023.0.1.noarch

src:
    nodejs22-22.16.0-1.amzn2023.0.1.src

x86_64:
    nodejs22-libs-debuginfo-22.16.0-1.amzn2023.0.1.x86_64
    nodejs22-debuginfo-22.16.0-1.amzn2023.0.1.x86_64
    nodejs22-full-i18n-22.16.0-1.amzn2023.0.1.x86_64
    nodejs22-libs-22.16.0-1.amzn2023.0.1.x86_64
    v8-12.4-devel-12.4.254.21-1.22.16.0.1.amzn2023.0.1.x86_64
    nodejs22-devel-22.16.0-1.amzn2023.0.1.x86_64
    nodejs22-22.16.0-1.amzn2023.0.1.x86_64
    nodejs22-npm-10.9.2-1.22.16.0.1.amzn2023.0.1.x86_64
    nodejs22-debugsource-22.16.0-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-23165, CVE-2025-23166, CVE-2025-47279

Mitre: CVE-2025-23165, CVE-2025-23166, CVE-2025-47279