NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-57803
• https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55298
• https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.

By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-9900
• https://access.redhat.com/security/cve/CVE-2025-9900
• https://bugzilla.redhat.com/show_bug.cgi?id=2392784
• https://access.redhat.com/errata/RHSA-2025:17651
• https://access.redhat.com/errata/RHSA-2025:17675
• https://access.redhat.com/errata/RHSA-2025:17710
• https://access.redhat.com/errata/RHSA-2025:17738
• https://access.redhat.com/errata/RHSA-2025:17739
• https://access.redhat.com/errata/RHSA-2025:17740
• https://access.redhat.com/errata/RHSA-2025:19113
• https://access.redhat.com/errata/RHSA-2025:19156
• https://access.redhat.com/errata/RHSA-2025:19276
• https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html
• http://www.openwall.com/lists/oss-security/2025/09/26/3
• https://access.redhat.com/errata/RHSA-2025:19906
• https://gitlab.com/libtiff/libtiff/-/issues/704
• https://gitlab.com/libtiff/libtiff/-/merge_requests/732
• https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html
• https://access.redhat.com/errata/RHSA-2025:19947
• https://access.redhat.com/errata/RHSA-2025:20956
• https://access.redhat.com/errata/RHSA-2025:20998
• https://access.redhat.com/errata/RHSA-2025:21061
• https://access.redhat.com/errata/RHSA-2025:21062
• https://access.redhat.com/errata/RHSA-2025:21060
• https://access.redhat.com/errata/RHSA-2025:21407
• https://access.redhat.com/errata/RHSA-2025:21506
• https://access.redhat.com/errata/RHSA-2025:21507
• https://access.redhat.com/errata/RHSA-2025:21508
• https://access.redhat.com/errata/RHSA-2025:21994
• https://access.redhat.com/errata/RHSA-2025:23078
• https://access.redhat.com/errata/RHSA-2025:23079
• https://access.redhat.com/errata/RHSA-2025:23080
• https://access.redhat.com/errata/RHSA-2026:0001
• https://access.redhat.com/errata/RHSA-2026:0078
• https://access.redhat.com/errata/RHSA-2026:0076
• https://access.redhat.com/errata/RHSA-2026:0077
• https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits() function, which incorrectly invokes ThrowException() based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash.

Note: The cryptographic operations involved are commonly applied to untrusted input.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 20.19.2, 22.15.1, 23.11.1, 24.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• HackerOne Report
• Node.js Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception due to the unhandled TLSSocket error ECONNRESET. An attacker can cause application crash by passing malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data.

Note:

This issue primary affects applications without explicit error handlers to secure sockets.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Directory Traversal in the path.join function. An attacker can bypass the path traversal protection and access restricted files by crafting specific path inputs that leverage Windows reserved driver names such as CON, PRN, and AUX.

Note: This issue only affects Windows systems and is a result of an incomplete fix for CVE-2025-23084

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade node to version 20.19.4, 22.17.1, 24.4.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Security Advisory
• Exploit DB

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when async_hooks (or AsyncLocalStorage) is enabled. Normally, a "Maximum call stack size exceeded" error (stack overflow) is catchable by try-catch blocks or uncaughtException handlers. However, if this error occurs while an async_hooks callback is on the stack (which happens frequently in frameworks like Next.js or when using APM tools), Node.js treats it as a fatal error. Remote attackers can trigger this crash by sending payloads that cause deep recursion (e.g., deeply nested JSON objects), leading to a Denial of Service.

Notes:

1. Node.js 24.x and 25.x are less affected if using only AsyncLocalStorage, as they use a newer V8 feature that avoids this hook mechanism;

2. The patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security.

PoC

import { createHook } from 'node:async_hooks';

// This simulates what APM tools do
createHook({ init() {} }).enable();

function recursive() {
  new Promise(() => {}); // Creates async context
  return recursive();
}

try {
  recursive();
} catch (err) {
  console.log('This never runs', err);
}

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• Blog Post
• GitHub Commit
• Node.js Security Releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31484
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/andk/cpanpm/pull/175
• https://lists.debian.org/debian-lts-announce/2024/10/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• https://metacpan.org/dist/CPAN/changes
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://www.openwall.com/lists/oss-security/2023/04/18/14

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55154
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82
• https://goo.gle/bigsleep
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-49043
• https://github.com/php/php-src/issues/17467
• https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Remediation

There is no fixed version for Debian:12 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7425
• https://access.redhat.com/security/cve/CVE-2025-7425
• https://bugzilla.redhat.com/show_bug.cgi?id=2379274
• https://access.redhat.com/errata/RHSA-2025:12447
• https://access.redhat.com/errata/RHSA-2025:12450
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13313
• https://access.redhat.com/errata/RHSA-2025:13314
• https://access.redhat.com/errata/RHSA-2025:13308
• https://access.redhat.com/errata/RHSA-2025:13309
• https://access.redhat.com/errata/RHSA-2025:13310
• https://access.redhat.com/errata/RHSA-2025:13311
• https://access.redhat.com/errata/RHSA-2025:13312
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13464
• https://access.redhat.com/errata/RHSA-2025:13622
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:14819
• https://access.redhat.com/errata/RHSA-2025:14818
• https://access.redhat.com/errata/RHSA-2025:14853
• https://access.redhat.com/errata/RHSA-2025:14858
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:15672
• https://access.redhat.com/errata/RHSA-2025:18219
• https://lists.debian.org/debian-lts-announce/2025/09/msg00035.html
• http://seclists.org/fulldisclosure/2025/Aug/0
• http://seclists.org/fulldisclosure/2025/Jul/30
• http://seclists.org/fulldisclosure/2025/Jul/32
• http://seclists.org/fulldisclosure/2025/Jul/35
• http://seclists.org/fulldisclosure/2025/Jul/37
• http://www.openwall.com/lists/oss-security/2025/07/11/2
• https://access.redhat.com/errata/RHSA-2025:21885
• https://access.redhat.com/errata/RHSA-2025:21913
• https://access.redhat.com/errata/RHSA-2026:0934
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/140

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Remediation

Upgrade Debian:12 pam to version 1.5.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6020
• https://access.redhat.com/security/cve/CVE-2025-6020
• https://bugzilla.redhat.com/show_bug.cgi?id=2372512
• http://www.openwall.com/lists/oss-security/2025/06/17/1
• https://access.redhat.com/errata/RHSA-2025:9526
• https://access.redhat.com/errata/RHSA-2025:10024
• https://access.redhat.com/errata/RHSA-2025:10027
• https://access.redhat.com/errata/RHSA-2025:10180
• https://access.redhat.com/errata/RHSA-2025:10354
• https://access.redhat.com/errata/RHSA-2025:10357
• https://access.redhat.com/errata/RHSA-2025:10358
• https://access.redhat.com/errata/RHSA-2025:10359
• https://access.redhat.com/errata/RHSA-2025:10361
• https://access.redhat.com/errata/RHSA-2025:10362
• https://access.redhat.com/errata/RHSA-2025:10735
• https://access.redhat.com/errata/RHSA-2025:10823
• https://access.redhat.com/errata/RHSA-2025:11386
• https://access.redhat.com/errata/RHSA-2025:11487
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://lists.debian.org/debian-lts-announce/2025/09/msg00021.html
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:20181
• https://access.redhat.com/errata/RHSA-2025:21885
• https://access.redhat.com/errata/RHSA-2025:22019
• https://access.redhat.com/errata/RHSA-2026:0934

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Remediation

Upgrade Debian:12 glib2.0 to version 2.74.6-2+deb12u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13601
• https://access.redhat.com/security/cve/CVE-2025-13601
• https://bugzilla.redhat.com/show_bug.cgi?id=2416741
• https://gitlab.gnome.org/GNOME/glib/-/issues/3827
• https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914
• https://access.redhat.com/errata/RHSA-2026:0936
• https://access.redhat.com/errata/RHSA-2026:0975
• https://access.redhat.com/errata/RHSA-2026:0991

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-24928
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
• https://issues.oss-fuzz.com/issues/392687022
• https://security.netapp.com/advisory/ntap-20250321-0006/
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the fs.symlink() function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52425
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://github.com/libexpat/libexpat/pull/789
• https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://security.netapp.com/advisory/ntap-20240614-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681
• http://seclists.org/fulldisclosure/2025/May/10
• http://seclists.org/fulldisclosure/2025/May/11
• http://seclists.org/fulldisclosure/2025/May/12
• http://seclists.org/fulldisclosure/2025/May/6
• http://seclists.org/fulldisclosure/2025/May/7
• http://seclists.org/fulldisclosure/2025/May/8
• http://www.openwall.com/lists/oss-security/2025/09/24/11
• https://access.redhat.com/errata/RHSA-2025:22033
• https://access.redhat.com/errata/RHSA-2025:22035
• https://access.redhat.com/errata/RHSA-2025:22034
• https://access.redhat.com/errata/RHSA-2025:22607
• https://access.redhat.com/errata/RHSA-2025:22785
• https://access.redhat.com/errata/RHSA-2025:22842
• https://access.redhat.com/errata/RHSA-2025:22871

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.

Remediation

Upgrade Debian:12 gdk-pixbuf to version 2.42.10+dfsg-1+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7345
• https://access.redhat.com/security/cve/CVE-2025-7345
• https://bugzilla.redhat.com/show_bug.cgi?id=2377063
• https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
• https://access.redhat.com/errata/RHSA-2025:12841
• https://access.redhat.com/errata/RHSA-2025:12862
• https://access.redhat.com/errata/RHSA-2025:13315
• https://access.redhat.com/errata/RHSA-2025:14575
• https://access.redhat.com/errata/RHSA-2025:14576
• https://access.redhat.com/errata/RHSA-2025:14574
• https://access.redhat.com/errata/RHSA-2025:14585
• https://access.redhat.com/errata/RHSA-2025:14618
• https://access.redhat.com/errata/RHSA-2025:14646
• https://access.redhat.com/errata/RHSA-2025:14647
• https://access.redhat.com/errata/RHSA-2025:14683
• https://lists.debian.org/debian-lts-announce/2025/10/msg00024.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55212
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
• https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is an open source software suite for displaying, converting, and editing raster image files. In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-62171
• https://github.com/ImageMagick/ImageMagick/commit/cea1693e2ded51b4cc91c70c54096cbed1691c00
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
• https://lists.debian.org/debian-lts-announce/2025/10/msg00019.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69204
• https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-53019
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68618
• https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27113
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/861
• https://security.netapp.com/advisory/ntap-20250306-0004/
• http://seclists.org/fulldisclosure/2025/Apr/13
• http://seclists.org/fulldisclosure/2025/Apr/10
• http://seclists.org/fulldisclosure/2025/Apr/11
• http://seclists.org/fulldisclosure/2025/Apr/12
• http://seclists.org/fulldisclosure/2025/Apr/4
• http://seclists.org/fulldisclosure/2025/Apr/5
• http://seclists.org/fulldisclosure/2025/Apr/8
• http://seclists.org/fulldisclosure/2025/Apr/9
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32415
• https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6021
• https://access.redhat.com/errata/RHSA-2025:10630
• https://access.redhat.com/errata/RHSA-2025:10698
• https://access.redhat.com/errata/RHSA-2025:10699
• https://access.redhat.com/errata/RHSA-2025:11580
• https://access.redhat.com/errata/RHSA-2025:12098
• https://access.redhat.com/errata/RHSA-2025:12099
• https://access.redhat.com/errata/RHSA-2025:12199
• https://access.redhat.com/errata/RHSA-2025:12237
• https://access.redhat.com/errata/RHSA-2025:12239
• https://access.redhat.com/errata/RHSA-2025:12240
• https://access.redhat.com/errata/RHSA-2025:12241
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13289
• https://access.redhat.com/errata/RHSA-2025:13325
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13336
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15672
• https://access.redhat.com/security/cve/CVE-2025-6021
• https://bugzilla.redhat.com/show_bug.cgi?id=2372406
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
• https://access.redhat.com/errata/RHSA-2025:19020
• https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html
• https://access.redhat.com/errata/RHSA-2025:11673

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32414
• https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/889

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-25062
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
• https://gitlab.gnome.org/GNOME/libxml2/-/tags
• https://security.netapp.com/advisory/ntap-20241018-0009/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7424
• https://access.redhat.com/security/cve/CVE-2025-7424
• https://bugzilla.redhat.com/show_bug.cgi?id=2379228
• https://lists.debian.org/debian-lts-announce/2025/09/msg00024.html
• http://seclists.org/fulldisclosure/2025/Aug/0
• http://seclists.org/fulldisclosure/2025/Jul/30
• http://seclists.org/fulldisclosure/2025/Jul/32
• http://seclists.org/fulldisclosure/2025/Jul/33
• http://seclists.org/fulldisclosure/2025/Jul/35
• http://seclists.org/fulldisclosure/2025/Jul/37
• http://www.openwall.com/lists/oss-security/2025/07/11/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Remediation

Upgrade Debian:12 gnupg2 to version 2.2.40-1.1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68973
• https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306
• https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
• https://github.com/gpg/gnupg/compare/gnupg-2.2.50...gnupg-2.2.51
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46403200
• https://www.openwall.com/lists/oss-security/2025/12/28/5
• http://www.openwall.com/lists/oss-security/2025/12/29/11
• https://lists.debian.org/debian-lts-announce/2026/01/msg00008.html
• https://gpg.fail/memcpy

NVD Description

Note: Versions mentioned in the description apply only to the upstream icu package and not the icu package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

Remediation

Upgrade Debian:12 icu to version 72.1-3+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-5222
• https://access.redhat.com/errata/RHSA-2025:11888
• https://access.redhat.com/errata/RHSA-2025:12083
• https://access.redhat.com/errata/RHSA-2025:12331
• https://access.redhat.com/errata/RHSA-2025:12332
• https://access.redhat.com/errata/RHSA-2025:12333
• https://access.redhat.com/security/cve/CVE-2025-5222
• https://bugzilla.redhat.com/show_bug.cgi?id=2368600
• https://lists.debian.org/debian-lts-announce/2025/06/msg00015.html