Medium

GOAWAY HTTP/2 Memory Leak in Node.js

IdentifiersCVE-2025-23085CWE-401· Missing Release of Memory after…

CVE-2025-23085 is a memory leak in Node.js HTTP/2 server handling, affecting Node.js v18.x, v20.x, v22.x, and v23.x. The issue occurs when a remote peer abruptly closes the socket without sending an HTTP/2 GOAWAY frame. The same leak can also be triggered when nghttp2 detects an invalid header and the connection is then terminated by the peer. Under these error-handling/connection-teardown conditions, memory associated with the HTTP/2 connection is not properly released, causing memory consumption to grow over time. The flaw is specifically described as affecting HTTP/2 Server users on the listed Node.js release lines.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause unbounded or repeated memory consumption in affected Node.js HTTP/2 server processes, potentially degrading performance and leading to denial of service if an attacker can repeatedly trigger the leak. The primary impact is availability loss rather than code execution or privilege escalation.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of Node.js HTTP/2 server endpoints to untrusted remote clients, disable HTTP/2 where operationally feasible, and place affected services behind controls that limit abusive connection churn and malformed traffic. Monitoring for abnormal process memory growth and restarting impacted services can reduce operational impact, but no specific workaround is identified in the provided content.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a fixed release. The provided content identifies the patched versions as v18.20.6, v20.18.2, v22.13.1, and v23.6.1. Where the vulnerable runtime is bundled through downstream products or buildpacks, apply the corresponding vendor update that incorporates the fixed Node.js version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

HitachiOps Center Analyzerapplication

NodejsNodejsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyble comNews

Jan 28, 2025

Node.js Flaws Expose Systems To Remote Attacks

A Node.js HTTP/2 memory leak triggered by a remote peer closing a socket without sending GOAWAY, potentially leading to resource exhaustion and denial of service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity