Summary IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js. Vulnerability Details CVEID:CVE-2025-23085 DESCRIPTION: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. CWE:CWE-401: Missing Release of Memory after Effective Lifetime CVSS Source: [email protected] CVSS Base score: 5.3 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID:CVE-2025-23084 DESCRIPTION: A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of path.join API. CWE:CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CVSS Source: [email protected] CVSS Base score: 5.6 CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N) …Read More