ALAS2023-2025-1010

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1010
Advisory Released Date: 2025-06-10
Advisory Updated Date: 2025-06-10

Severity: Important

References: CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 CVE-2025-47279
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string, resulting in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Info: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low (CVE-2025-23165)

Improper error handling in async cryptographic operations crashes process

Info: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high (CVE-2025-23166)

Improper HTTP header block termination in llhttp which enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. This vulnerability affects only Node.js 20.x users prior to the llhttp v9 upgrade.

Info: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium (CVE-2025-23167)

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails. (CVE-2025-47279)

Affected Packages:

nodejs20

Issue Correction:
Run dnf update nodejs20 --releasever 2023.7.20250609 to update your system.

New Packages:

aarch64:
    nodejs20-libs-debuginfo-20.19.2-1.amzn2023.0.1.aarch64
    nodejs20-full-i18n-20.19.2-1.amzn2023.0.1.aarch64
    nodejs20-debuginfo-20.19.2-1.amzn2023.0.1.aarch64
    nodejs20-devel-20.19.2-1.amzn2023.0.1.aarch64
    nodejs20-libs-20.19.2-1.amzn2023.0.1.aarch64
    v8-11.3-devel-11.3.244.8-1.20.19.2.1.amzn2023.0.1.aarch64
    nodejs20-20.19.2-1.amzn2023.0.1.aarch64
    nodejs20-npm-10.8.2-1.20.19.2.1.amzn2023.0.1.aarch64
    nodejs20-debugsource-20.19.2-1.amzn2023.0.1.aarch64

noarch:
    nodejs20-docs-20.19.2-1.amzn2023.0.1.noarch

src:
    nodejs20-20.19.2-1.amzn2023.0.1.src

x86_64:
    nodejs20-libs-debuginfo-20.19.2-1.amzn2023.0.1.x86_64
    nodejs20-devel-20.19.2-1.amzn2023.0.1.x86_64
    nodejs20-debuginfo-20.19.2-1.amzn2023.0.1.x86_64
    nodejs20-full-i18n-20.19.2-1.amzn2023.0.1.x86_64
    nodejs20-libs-20.19.2-1.amzn2023.0.1.x86_64
    v8-11.3-devel-11.3.244.8-1.20.19.2.1.amzn2023.0.1.x86_64
    nodejs20-20.19.2-1.amzn2023.0.1.x86_64
    nodejs20-npm-10.8.2-1.20.19.2.1.amzn2023.0.1.x86_64
    nodejs20-debugsource-20.19.2-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-23165, CVE-2025-23166, CVE-2025-23167, CVE-2025-47279

Mitre: CVE-2025-23165, CVE-2025-23166, CVE-2025-23167, CVE-2025-47279