Cryptographic weaknesses

MEDIUM

nodejs/node

Commit: 05f8772096f9

Affected: < 25.9.0

2026-04-05 10:57 UTC

Description

The commit fixes how the nghttp2 tarball's detached signature is verified during dependency update. Previously the script piped the detached signature data (via STDIN) into gpgv together with the tarball path, which relied on STDIN for the signature and could be brittle or susceptible to misinterpretation or edge-case issues in signature verification. The fix downloads the detached signature to a file and invokes gpgv with both the signature file and the tarball file as explicit arguments, ensuring proper cryptographic verification of the downloaded dependency. This reduces the risk of signature verification bypasses or misverification during dependency updates.

Commit Details

Author: Richard Lau

Date: 2025-12-14 15:01 UTC

Message:

tools: fix update-nghttp2 signature verification

Detached signatures must be passed to `gpgv` as a filename before
the datafile (which can be stdin but the detached signature file
cannot be stdin and cannot be piped in).

PR-URL: https://github.com/nodejs/node/pull/61035
Refs: https://github.com/nodejs/node/pull/60113
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Triage Assessment

Vulnerability Type: Cryptographic weaknesses

Confidence: MEDIUM

Reasoning:

The commit changes how the nghttp2 tarball's detached signature is verified. By downloading the .asc detached signature and invoking gpgv with both the signature and the tarball, it ensures proper cryptographic verification of the downloaded dependency. This improves integrity verification and prevents potential signature verification bypasses or misverification during dependency updates.

Verification Assessment

Vulnerability Type: Cryptographic weaknesses

Confidence: MEDIUM

Affected Versions: < 25.9.0

Code Diff

diff --git a/tools/dep_updaters/update-nghttp2.sh b/tools/dep_updaters/update-nghttp2.sh
index c19dedf1ca203f..759f71f4f4024f 100755
--- a/tools/dep_updaters/update-nghttp2.sh
+++ b/tools/dep_updaters/update-nghttp2.sh
@@ -50,12 +50,13 @@ echo "Fetching nghttp2 source archive"
 curl -sL -o "$NGHTTP2_TARBALL" "https://github.com/nghttp2/nghttp2/releases/download/$NGHTTP2_REF/$NGHTTP2_TARBALL"
 
 echo "Verifying PGP signature"
-curl -sL "https://github.com/nghttp2/nghttp2/releases/download/${NGHTTP2_REF}/${NGHTTP2_TARBALL}.asc" \
-| gpgv --keyring "$BASE_DIR/tools/dep_updaters/nghttp.kbx" "$NGHTTP2_TARBALL"
+curl -sL -o "${NGHTTP2_TARBALL}.asc" "https://github.com/nghttp2/nghttp2/releases/download/${NGHTTP2_REF}/${NGHTTP2_TARBALL}.asc"
+gpgv --keyring "$BASE_DIR/tools/dep_updaters/nghttp.kbx" "${NGHTTP2_TARBALL}.asc" "${NGHTTP2_TARBALL}"
 
 echo "Unpacking archive"
 tar xJf "$NGHTTP2_TARBALL"
 rm "$NGHTTP2_TARBALL"
+rm "${NGHTTP2_TARBALL}.asc"
 mv "nghttp2-$NEW_VERSION" nghttp2
 
 echo "Removing everything, except lib/ and COPYING"

← Back to Alerts View on GitHub →