[ASA-202505-12] go: directory traversal
[ASA-202505-11] freetype2: arbitrary code execution
[ASA-202505-10] python-django: denial of service
[ASA-202505-9] dropbear: arbitrary command execution
[ASA-202505-8] nodejs-lts-iron: multiple issues
[ASA-202505-7] nodejs-lts-jod: denial of service
[ASA-202505-6] nodejs: denial of service
[ASA-202505-5] webkitgtk-6.0: arbitrary code execution
[ASA-202505-4] webkit2gtk-4.1: arbitrary code execution
[ASA-202505-3] webkit2gtk: arbitrary code execution
[ASA-202505-2] wpewebkit: arbitrary code execution
[ASA-202505-12] go: directory traversal
Arch Linux Security Advisory ASA-202505-12
==========================================
Severity: Low
Date : 2025-05-19
CVE-ID : CVE-2025-22873
Package : go
Type : directory traversal
Remote : No
Link : https://security.archlinux.org/AVG-2878
Summary
=======
The package go before version 2:1.24.3-1 is vulnerable to directory
traversal.
Resolution
==========
Upgrade to 2:1.24.3-1.
# pacman -Syu "go>=2:1.24.3-1"
The problem has been fixed upstream in version 1.24.3.
Workaround
==========
None.
Description
===========
It was possible to improperly access the parent directory of a
restricted filesystem root created with os.DirFS. Calling Open("../")
on such a filesystem could open the parent directory itself, violating
expected directory confinement. This escape did not allow access to
ancestor directories beyond the parent, nor to files within the parent
directory.
This behavior has been corrected to return an error for such paths.
Impact
======
A local attacker or untrusted component running within a Go application
could bypass directory confinement by accessing the parent directory of
a restricted os.DirFS root using a "../" path.
References
==========
https://github.com/golang/go/issues/73555
https://go.dev/doc/devel/release#go1.24.3
https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ?pli=1
https://security.archlinux.org/CVE-2025-22873
[ASA-202505-11] freetype2: arbitrary code execution
Arch Linux Security Advisory ASA-202505-11
==========================================
Severity: High
Date : 2025-05-19
CVE-ID : CVE-2025-27363
Package : freetype2
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2877
Summary
=======
The package freetype2 before version 2.13.3-3 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 2.13.3-3.
# pacman -Syu "freetype2>=2.13.3-3"
The problem has been fixed upstream in version 2.13.3.
Workaround
==========
None.
Description
===========
An out of bounds write exists in FreeType versions 2.13.0 and below
when attempting to parse font subglyph structures related to TrueType
GX and variable font files. The vulnerable code assigns a signed short
value to an unsigned long and then adds a static value causing it to
wrap around and allocate too small of a heap buffer. The code then
writes up to 6 signed long integers out of bounds relative to this
buffer. This may result in arbitrary code execution. This vulnerability
may have been exploited in the wild.
Impact
======
A remote attacker that is able to load a specially crafted font file is
able to execute arbitrary code on the affected host.
References
==========
https://www.facebook.com/security/advisories/cve-2025-27363
https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
https://security.archlinux.org/CVE-2025-27363
[ASA-202505-10] python-django: denial of service
Arch Linux Security Advisory ASA-202505-10
==========================================
Severity: Medium
Date : 2025-05-19
CVE-ID : CVE-2025-32873
Package : python-django
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2876
Summary
=======
The package python-django before version 5.1.9-1 is vulnerable to
denial of service.
Resolution
==========
Upgrade to 5.1.9-1.
# pacman -Syu "python-django>=5.1.9-1"
The problem has been fixed upstream in version 5.1.9.
Workaround
==========
None.
Description
===========
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is
used to implement the striptags template filter, which was thus also
vulnerable. django.utils.html.strip_tags() now raises a
SuspiciousOperation exception if it encounters an unusually large
number of unclosed opening tags.
Impact
======
A remote attacker can exploit inefficient HTML tag parsing in Django’s
strip_tags() function to cause excessive CPU usage, leading to a denial
of service. This may affect applications that use the striptags
template filter to sanitize user-controlled input, making them
vulnerable to slowdown or unresponsiveness when handling specially
crafted HTML content.
References
==========
https://www.djangoproject.com/weblog/2025/may/07/security-releases/
https://security.archlinux.org/CVE-2025-32873
[ASA-202505-9] dropbear: arbitrary command execution
Arch Linux Security Advisory ASA-202505-9
=========================================
Severity: Medium
Date : 2025-05-19
CVE-ID : CVE-2025-47203
Package : dropbear
Type : arbitrary command execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2874
Summary
=======
The package dropbear before version 2025.88-1 is vulnerable to
arbitrary command execution.
Resolution
==========
Upgrade to 2025.88-1.
# pacman -Syu "dropbear>=2025.88-1"
The problem has been fixed upstream in version 2025.88.
Workaround
==========
None.
Description
===========
dbclient in Dropbear SSH before 2025.88 allows command injection via an
untrusted hostname argument, because a shell is used.
Impact
======
A remote attacker can craft a malicious hostname to execute arbitrary
commands on a system using dbclient if the hostname is passed without
proper sanitization.
References
==========
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html
https://security.archlinux.org/CVE-2025-47203
[ASA-202505-8] nodejs-lts-iron: multiple issues
Arch Linux Security Advisory ASA-202505-8
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2025-23165 CVE-2025-23166 CVE-2025-23167
Package : nodejs-lts-iron
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2873
Summary
=======
The package nodejs-lts-iron before version 20.19.2-1 is vulnerable to
multiple issues including denial of service and access restriction
bypass.
Resolution
==========
Upgrade to 20.19.2-1.
# pacman -Syu "nodejs-lts-iron>=20.19.2-1"
The problems have been fixed upstream in version 20.19.2.
Workaround
==========
None.
Description
===========
- CVE-2025-23165 (denial of service)
Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo& args) when args[0] is a string.
In Node.js, the ReadFileUtf8 internal binding leaks memory due to a
corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated
but subsequently overwritten when the file descriptor is set. This
results in an unrecoverable memory leak on every call. Repeated use can
cause unbounded memory growth, leading to a denial of service.
- CVE-2025-23166 (denial of service)
Improper error handling in async cryptographic operations crashes
process.
The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing in a
background thread, crashing the Node.js process. Such cryptographic
operations are commonly applied to untrusted inputs. Thus, this
mechanism potentially allows an adversary to remotely crash a Node.js
runtime.
- CVE-2025-23167 (access restriction bypass)
A flaw in Node.js 20's HTTP parser allows improper termination of
HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This
inconsistency enables request smuggling, allowing attackers to bypass
proxy-based access controls and submit unauthorized requests.
The issue was resolved by upgrading llhttp to version 9, which enforces
correct header termination.
Impact
======
A remote attacker can exploit multiple vulnerabilities in Node.js to
cause a denial of service or bypass access restrictions. Improper error
handling and memory management flaws may crash the process or lead to
unbounded memory usage, while an HTTP parsing inconsistency in Node.js
20.x can enable request smuggling, allowing attackers to evade proxy-
based access controls and submit unauthorized requests.
References
==========
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
https://security.archlinux.org/CVE-2025-23165
https://security.archlinux.org/CVE-2025-23166
https://security.archlinux.org/CVE-2025-23167
[ASA-202505-7] nodejs-lts-jod: denial of service
Arch Linux Security Advisory ASA-202505-7
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2025-23165 CVE-2025-23166
Package : nodejs-lts-jod
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2872
Summary
=======
The package nodejs-lts-jod before version 22.15.1-1 is vulnerable to
denial of service.
Resolution
==========
Upgrade to 22.15.1-1.
# pacman -Syu "nodejs-lts-jod>=22.15.1-1"
The problems have been fixed upstream in version 22.15.1.
Workaround
==========
None.
Description
===========
- CVE-2025-23165 (denial of service)
Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo& args) when args[0] is a string.
In Node.js, the ReadFileUtf8 internal binding leaks memory due to a
corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated
but subsequently overwritten when the file descriptor is set. This
results in an unrecoverable memory leak on every call. Repeated use can
cause unbounded memory growth, leading to a denial of service.
- CVE-2025-23166 (denial of service)
Improper error handling in async cryptographic operations crashes
process.
The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing in a
background thread, crashing the Node.js process. Such cryptographic
operations are commonly applied to untrusted inputs. Thus, this
mechanism potentially allows an adversary to remotely crash a Node.js
runtime.
Impact
======
A remote attacker can exploit improper error handling and memory
management flaws in Node.js to crash the process or exhaust system
resources, leading to a denial of service. Specifically, malformed
input may trigger a crash in asynchronous cryptographic operations,
while repeated use of file system APIs with crafted input may cause
unbounded memory growth.
References
==========
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
https://security.archlinux.org/CVE-2025-23165
https://security.archlinux.org/CVE-2025-23166
[ASA-202505-6] nodejs: denial of service
Arch Linux Security Advisory ASA-202505-6
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2025-23166
Package : nodejs
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2871
Summary
=======
The package nodejs before version 23.11.1-1 is vulnerable to denial of
service.
Resolution
==========
Upgrade to 23.11.1-1.
# pacman -Syu "nodejs>=23.11.1-1"
The problem has been fixed upstream in version 23.11.1.
Workaround
==========
None.
Description
===========
Improper error handling in async cryptographic operations crashes
process.
The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing in a
background thread, crashing the Node.js process. Such cryptographic
operations are commonly applied to untrusted inputs. Thus, this
mechanism potentially allows an adversary to remotely crash a Node.js
runtime.
Impact
======
A remote attacker can exploit improper error handling in Node.js’s
asynchronous cryptographic operations to crash the process, leading to
a denial of service.
References
==========
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
https://security.archlinux.org/CVE-2025-23166
[ASA-202505-5] webkitgtk-6.0: arbitrary code execution
Arch Linux Security Advisory ASA-202505-5
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2023-42875 CVE-2023-42970
Package : webkitgtk-6.0
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2867
Summary
=======
The package webkitgtk-6.0 before version 2.48.2-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 2.48.2-1.
# pacman -Syu "webkitgtk-6.0>=2.48.2-1"
The problems have been fixed upstream in version 2.48.2.
Workaround
==========
None.
Description
===========
- CVE-2023-42875 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory handling and result in arbitrary code execution. The
issue was addressed with improved memory handling.
- CVE-2023-42970 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory management and result in arbitrary code execution.
Impact
======
A remote attacker could craft malicious web content that exploits use-
after-free vulnerabilities in WPE WebKit, potentially leading to
arbitrary code execution. This can compromise the confidentiality,
integrity, and availability of affected systems, especially those
rendering untrusted web content through WPE WebKit.
References
==========
https://webkitgtk.org/security/WSA-2025-0004.html
https://wpewebkit.org/security/WSA-2025-0004.html
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42875
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42875
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42970
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42970
https://security.archlinux.org/CVE-2023-42875
https://security.archlinux.org/CVE-2023-42970
[ASA-202505-4] webkit2gtk-4.1: arbitrary code execution
Arch Linux Security Advisory ASA-202505-4
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2023-42875 CVE-2023-42970
Package : webkit2gtk-4.1
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2868
Summary
=======
The package webkit2gtk-4.1 before version 2.48.2-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 2.48.2-1.
# pacman -Syu "webkit2gtk-4.1>=2.48.2-1"
The problems have been fixed upstream in version 2.48.2.
Workaround
==========
None.
Description
===========
- CVE-2023-42875 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory handling and result in arbitrary code execution. The
issue was addressed with improved memory handling.
- CVE-2023-42970 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory management and result in arbitrary code execution.
Impact
======
A remote attacker could craft malicious web content that exploits use-
after-free vulnerabilities in WPE WebKit, potentially leading to
arbitrary code execution. This can compromise the confidentiality,
integrity, and availability of affected systems, especially those
rendering untrusted web content through WPE WebKit.
References
==========
https://webkitgtk.org/security/WSA-2025-0004.html
https://wpewebkit.org/security/WSA-2025-0004.html
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42875
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42875
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42970
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42970
https://security.archlinux.org/CVE-2023-42875
https://security.archlinux.org/CVE-2023-42970
[ASA-202505-3] webkit2gtk: arbitrary code execution
Arch Linux Security Advisory ASA-202505-3
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2023-42875 CVE-2023-42970
Package : webkit2gtk
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2869
Summary
=======
The package webkit2gtk before version 2.48.2-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 2.48.2-1.
# pacman -Syu "webkit2gtk>=2.48.2-1"
The problems have been fixed upstream in version 2.48.2.
Workaround
==========
None.
Description
===========
- CVE-2023-42875 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory handling and result in arbitrary code execution. The
issue was addressed with improved memory handling.
- CVE-2023-42970 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory management and result in arbitrary code execution.
Impact
======
A remote attacker could craft malicious web content that exploits use-
after-free vulnerabilities in WPE WebKit, potentially leading to
arbitrary code execution. This can compromise the confidentiality,
integrity, and availability of affected systems, especially those
rendering untrusted web content through WPE WebKit.
References
==========
https://webkitgtk.org/security/WSA-2025-0004.html
https://wpewebkit.org/security/WSA-2025-0004.html
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42875
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42875
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42970
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42970
https://security.archlinux.org/CVE-2023-42875
https://security.archlinux.org/CVE-2023-42970
[ASA-202505-2] wpewebkit: arbitrary code execution
Arch Linux Security Advisory ASA-202505-2
=========================================
Severity: High
Date : 2025-05-18
CVE-ID : CVE-2023-42875 CVE-2023-42970
Package : wpewebkit
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2870
Summary
=======
The package wpewebkit before version 2.48.2-1 is vulnerable to
arbitrary code execution.
Resolution
==========
Upgrade to 2.48.2-1.
# pacman -Syu "wpewebkit>=2.48.2-1"
The problems have been fixed upstream in version 2.48.2.
Workaround
==========
None.
Description
===========
- CVE-2023-42875 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory handling and result in arbitrary code execution. The
issue was addressed with improved memory handling.
- CVE-2023-42970 (arbitrary code execution)
Processing malicious web content can cause a use-after-free issue due
to improper memory management and result in arbitrary code execution.
Impact
======
A remote attacker could craft malicious web content that exploits use-
after-free vulnerabilities in WPE WebKit, potentially leading to
arbitrary code execution. This can compromise the confidentiality,
integrity, and availability of affected systems, especially those
rendering untrusted web content through WPE WebKit.
References
==========
https://webkitgtk.org/security/WSA-2025-0004.html
https://wpewebkit.org/security/WSA-2025-0004.html
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42875
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42875
https://webkitgtk.org/security/WSA-2025-0004.html#CVE-2023-42970
https://wpewebkit.org/security/WSA-2025-0004.html#CVE-2023-42970
https://security.archlinux.org/CVE-2023-42875
https://security.archlinux.org/CVE-2023-42970
