[MEDIUM] Patch nodejs for CVE-2025-23165 CVE-2025-23166

[aninda-al]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Address CVE-2025-23165 CVE-2025-23166

CVE-2025-23166 Upstream Patch Reference: nodejs/node@6c57465
CVE-2025-23165 Upstream Patch Reference: nodejs/node@9e13bf0

Change Log

• modified: SPECS/nodejs/nodejs.spec
• added: SPECS/nodejs/CVE-2025-23165.patch
• added: SPECS/nodejs/CVE-2025-23166.patch

Does this affect the toolchain?

NO

Associated issues

• NA

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-23165
• https://nvd.nist.gov/vuln/detail/CVE-2025-23166

Test Methodology

• Due to insufficient memory in vm could not get a successful build. It fails with the same error even without my changes

[kgodara912]

Buddy build. Both the patches match with upstream reference. As the patches referenced here are already merged in nodejs 20.19.2 which is a minor version upgrade, could you please check how many of the CVEs listed in spec file are already fixed in 20.19.2 version? There are multiple other fixes in the release, let's see if all the CVEs are fixed and no regressions, then we will try a minor version upgrade. As per, https://nodejs.org/en/about/previous-releases, Node20 series is under Maintenance.

[aninda-al]

Buddy build. Both the patches match with upstream reference. As the patches referenced here are already merged in nodejs 20.19.2 which is a minor version upgrade, could you please check how many of the CVEs listed in spec file are already fixed in 20.19.2 version? There are multiple other fixes in the release, let's see if all the CVEs are fixed and no regressions, then we will try a minor version upgrade. As per, https://nodejs.org/en/about/previous-releases, Node20 series is under Maintenance.

@kgodara912 I did search the commit logs and found that some of the CVEs we include in our sepc file are missing

[aninda-al]

Buddy build. Both the patches match with upstream reference. As the patches referenced here are already merged in nodejs 20.19.2 which is a minor version upgrade, could you please check how many of the CVEs listed in spec file are already fixed in 20.19.2 version? There are multiple other fixes in the release, let's see if all the CVEs are fixed and no regressions, then we will try a minor version upgrade. As per, https://nodejs.org/en/about/previous-releases, Node20 series is under Maintenance.

@kgodara912 I did search the commit logs and found that some of the CVEs we include in our sepc file are missing

@kgodara912 It appears from the git log, not all CVEs are applied. Should we still proceed with minor version upgrade or continue applying this patch? Thanks!

[kgodara912]

Ideally, we could check the source code and see what patches are required but that will take significant time. We may take that up in next release. LGTM.

[Kanishk-Bansal]

We can keep this PR going for now.