EasyApache4 v25.4 Maintenance and Security Release
cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.
-
ea-nodejs18
- EA-12662: Update ea-nodejs18 from v18.20.5 to v18.20.6
- GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085) – (medium)
- Path traversal by drive name in Windows environment (CVE-2025-23084) – (medium)
- EA-12662: Update ea-nodejs18 from v18.20.5 to v18.20.6
-
ea-nodejs20
- EA-12663: Update ea-nodejs20 from v20.18.1 to v20.18.2
- Worker permission bypass via InternalWorker leak in diagnostics (CVE-2025-23083) – (high)
- GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085) – (medium)
- Path traversal by drive name in Windows environment (CVE-2025-23084) – (medium)
- EA-12663: Update ea-nodejs20 from v20.18.1 to v20.18.2
-
ea-nodejs22
- EA-12664: Update ea-nodejs22 from v22.13.0 to v22.13.1
- Worker permission bypass via InternalWorker leak in diagnostics (CVE-2025-23083) – (high)
- GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085) – (medium)
- Path traversal by drive name in Windows environment (CVE-2025-23084) – (medium)
- EA-12664: Update ea-nodejs22 from v22.13.0 to v22.13.1
-
ea-apache24
- EA-12665: Update ea-apache24 from v2.4.62 to v2.4.63
- Remove Proxy FCGI patch (upstream patched in v2.5.63)
- EA-12665: Update ea-apache24 from v2.4.62 to v2.4.63
SUMMARY
cPanel, L.L.C. has updated packages for EasyApache 4 with updated versions of NodeJS 18, NodeJS 20, and NodeJS 22. This release addresses vulnerabilities related to CVE-2025-23083, CVE-2025-23084, and CVE-2025-23085. We strongly encourage all NodeJS 18 users to update to version 18.20.6, all NodeJS 22 users to update to version 22.13.1 and all NodeJS 20 users to update to version 20.18.2.
AFFECTED VERSIONS
All versions of NodeJS 18 through 18.20.5
All versions of NodeJS 20 through 20.18.1.
All versions of NodeJS 22 through 22.13.0.
SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2025-23083 – MEDIUM
NodeJS 20
Fixed vulnerability related to CVE-2025-23083
NodeJS 22
Fixed vulnerability related to CVE-2025-23083
CVE-2025-23084 – MEDIUM
NodeJS 18
Fixed vulnerability related to CVE-2025-23084
NodeJS 20
Fixed vulnerability related to CVE-2025-23084
NodeJS 22
Fixed vulnerability related to CVE-2025-23084
CVE-2025-23085 – MEDIUM
NodeJS 18
Fixed vulnerability related to CVE-2025-23085
NodeJS 20
Fixed vulnerability related to CVE-2025-23085
NodeJS 22
Fixed vulnerability related to CVE-2025-23085
SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 25.4 on January 29, 2025, with NodeJS versions 18.20.6, 20.18.2 and 22.13.1. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.
REFERENCES
https://www.cve.org/CVERecord?id=CVE-2025-23083
https://www.cve.org/CVERecord?id=CVE-2025-23084
https://www.cve.org/CVERecord?id=CVE-2025-23085
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V22.md#22.13.1
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md
Information about all releases this year can be found in the 2025 EasyApache 4 Changelog.
GPG signed copy of this announcement: https://news.cpanel.com/wp-content/uploads/2025/01/EA4-25.4-CVE.signed.txt
Post is closed for comments.
Comments
0 comments