Debian Security Advisory

DLA-3344-1 nodejs -- LTS security update

Date Reported:
26 Feb 2023
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 1023518, Bug 1031834.
In Mitre's CVE dictionary: CVE-2022-43548, CVE-2023-23920.
More information:

Vulnerabilities have been found in Node.js, which could result in DNS rebinding or arbitrary code execution.

  • CVE-2022-43548

    The Node.js rebinding protector for --inspect still allows invalid IP addresses, specifically in octal format, which browsers such as Firefox attempt to resolve via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code.

  • CVE-2023-23920

    Ben Noordhuis reported that Node.js would search and potentially load ICU data when running with elevated privileges. Node.js now builds with ICU_NO_USER_DATA_OVERRIDE to avoid this.

For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u3.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: