Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-59464 (GCVE-0-2025-59464)
Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 20:41
VLAI
EPSS
Summary
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-21T20:40:07.879640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T20:41:09.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThan": "24.12.0",
"status": "affected",
"version": "24.12.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:41:55.599Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-59464",
"datePublished": "2026-01-20T20:41:55.599Z",
"dateReserved": "2025-09-16T15:00:07.875Z",
"dateUpdated": "2026-01-21T20:41:09.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-59464",
"date": "2026-06-03",
"epss": "0.00098",
"percentile": "0.26969"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-59464\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2026-01-20T21:16:03.900\",\"lastModified\":\"2026-01-30T20:26:26.333\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"24.0.0\",\"versionEndExcluding\":\"24.12.0\",\"matchCriteriaId\":\"C2C21118-9E06-473D-8287-10F2181A067B\"}]}]}],\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\",\"source\":\"support@hackerone.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59464\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-21T20:40:07.879640Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-21T20:41:05.620Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"}}], \"affected\": [{\"vendor\": \"nodejs\", \"product\": \"node\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.12.0\", \"lessThan\": \"24.12.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A memory leak in Node.js\\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.\"}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2026-01-20T20:41:55.599Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-59464\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-21T20:41:09.437Z\", \"dateReserved\": \"2025-09-16T15:00:07.875Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2026-01-20T20:41:55.599Z\", \"assignerShortName\": \"hackerone\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:6402
Vulnerability from csaf_redhat - Published: 2026-04-01 16:46 - Updated: 2026-04-20 21:33Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs24:
* nodejs24-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-bin-24.14.1-4.hum1 (noarch)
* nodejs24-devel-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-docs-24.14.1-4.hum1 (noarch)
* nodejs24-full-i18n-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-libs-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-npm-11.11.0-1.24.14.1.4.hum1 (noarch)
* nodejs24-npm-bin-24.14.1-4.hum1 (noarch)
* v8-13.6-devel-13.6.233.17-1.24.14.1.4.hum1 (aarch64, x86_64)
* nodejs24-24.14.1-4.hum1.src (source)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs24:\n * nodejs24-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-bin-24.14.1-4.hum1 (noarch)\n * nodejs24-devel-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-docs-24.14.1-4.hum1 (noarch)\n * nodejs24-full-i18n-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-libs-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-npm-11.11.0-1.24.14.1.4.hum1 (noarch)\n * nodejs24-npm-bin-24.14.1-4.hum1 (noarch)\n * v8-13.6-devel-13.6.233.17-1.24.14.1.4.hum1 (aarch64, x86_64)\n * nodejs24-24.14.1-4.hum1.src (source)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6402",
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6402.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-20T21:33:24+00:00",
"generator": {
"date": "2026-04-20T21:33:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:6402",
"initial_release_date": "2026-04-01T16:46:17+00:00",
"revision_history": [
{
"date": "2026-04-01T16:46:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T19:57:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-20T21:33:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@aarch64",
"product": {
"name": "nodejs24-main@aarch64",
"product_id": "nodejs24-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@src",
"product": {
"name": "nodejs24-main@src",
"product_id": "nodejs24-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.hum1?arch=source\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@x86_64",
"product": {
"name": "nodejs24-main@x86_64",
"product_id": "nodejs24-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@noarch",
"product": {
"name": "nodejs24-main@noarch",
"product_id": "nodejs24-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-bin@24.14.1-4.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@aarch64"
},
"product_reference": "nodejs24-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@noarch"
},
"product_reference": "nodejs24-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@src"
},
"product_reference": "nodejs24-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@x86_64"
},
"product_reference": "nodejs24-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:6431
Vulnerability from csaf_redhat - Published: 2026-04-02 08:24 - Updated: 2026-04-20 21:33Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs25:
* nodejs25-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-bin-25.9.0-1.hum1 (noarch)
* nodejs25-devel-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-docs-25.9.0-1.hum1 (noarch)
* nodejs25-full-i18n-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-libs-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-npm-11.12.1-1.25.9.0.1.hum1 (noarch)
* nodejs25-npm-bin-25.9.0-1.hum1 (noarch)
* v8-14.1-devel-14.1.146.11-1.25.9.0.1.hum1 (aarch64, x86_64)
* nodejs25-25.9.0-1.hum1.src (source)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs25:\n * nodejs25-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-bin-25.9.0-1.hum1 (noarch)\n * nodejs25-devel-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-docs-25.9.0-1.hum1 (noarch)\n * nodejs25-full-i18n-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-libs-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-npm-11.12.1-1.25.9.0.1.hum1 (noarch)\n * nodejs25-npm-bin-25.9.0-1.hum1 (noarch)\n * v8-14.1-devel-14.1.146.11-1.25.9.0.1.hum1 (aarch64, x86_64)\n * nodejs25-25.9.0-1.hum1.src (source)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6431",
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6431.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-20T21:33:22+00:00",
"generator": {
"date": "2026-04-20T21:33:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:6431",
"initial_release_date": "2026-04-02T08:24:03+00:00",
"revision_history": [
{
"date": "2026-04-02T08:24:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T19:57:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-20T21:33:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@aarch64",
"product": {
"name": "nodejs25-main@aarch64",
"product_id": "nodejs25-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@src",
"product": {
"name": "nodejs25-main@src",
"product_id": "nodejs25-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.hum1?arch=source\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@x86_64",
"product": {
"name": "nodejs25-main@x86_64",
"product_id": "nodejs25-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@noarch",
"product": {
"name": "nodejs25-main@noarch",
"product_id": "nodejs25-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25-bin@25.9.0-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@aarch64"
},
"product_reference": "nodejs25-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@noarch"
},
"product_reference": "nodejs25-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@src"
},
"product_reference": "nodejs25-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@x86_64"
},
"product_reference": "nodejs25-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:7378
Vulnerability from csaf_redhat - Published: 2026-04-10 13:03 - Updated: 2026-05-04 08:48Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
31 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7378",
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-2950",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7378.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-05-04T08:48:53+00:00",
"generator": {
"date": "2026-05-04T08:48:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2026:7378",
"initial_release_date": "2026-04-10T13:03:00+00:00",
"revision_history": [
{
"date": "2026-04-10T13:03:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-04T07:58:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-04T08:48:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@aarch64",
"product": {
"name": "nodejs25-main@aarch64",
"product_id": "nodejs25-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@src",
"product": {
"name": "nodejs25-main@src",
"product_id": "nodejs25-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@x86_64",
"product": {
"name": "nodejs25-main@x86_64",
"product_id": "nodejs25-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@noarch",
"product": {
"name": "nodejs25-main@noarch",
"product_id": "nodejs25-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25-bin@25.9.0-1.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@aarch64"
},
"product_reference": "nodejs25-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@noarch"
},
"product_reference": "nodejs25-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@src"
},
"product_reference": "nodejs25-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@x86_64"
},
"product_reference": "nodejs25-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2026-2950",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-03-31T20:01:38.424064+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453499"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "RHBZ#2453499",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453499"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-03-31T19:18:35.796000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass"
}
]
}
RHSA-2026:7386
Vulnerability from csaf_redhat - Published: 2026-04-10 14:47 - Updated: 2026-04-20 21:32Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs20:
* nodejs20-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-bin-20.20.0-7.1.hum1 (noarch)
* nodejs20-devel-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-docs-20.20.0-7.1.hum1 (noarch)
* nodejs20-full-i18n-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-libs-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-npm-10.8.2-1.20.20.0.7.1.hum1 (noarch)
* nodejs20-npm-bin-20.20.0-7.1.hum1 (noarch)
* v8-11.3-devel-11.3.244.8-1.20.20.0.7.1.hum1 (aarch64, x86_64)
* nodejs20-20.20.0-7.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs20:\n * nodejs20-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-bin-20.20.0-7.1.hum1 (noarch)\n * nodejs20-devel-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-docs-20.20.0-7.1.hum1 (noarch)\n * nodejs20-full-i18n-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-libs-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-npm-10.8.2-1.20.20.0.7.1.hum1 (noarch)\n * nodejs20-npm-bin-20.20.0-7.1.hum1 (noarch)\n * v8-11.3-devel-11.3.244.8-1.20.20.0.7.1.hum1 (aarch64, x86_64)\n * nodejs20-20.20.0-7.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7386",
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7386.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-20T21:32:46+00:00",
"generator": {
"date": "2026-04-20T21:32:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:7386",
"initial_release_date": "2026-04-10T14:47:42+00:00",
"revision_history": [
{
"date": "2026-04-10T14:47:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-20T11:28:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-20T21:32:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@aarch64",
"product": {
"name": "nodejs20-main@aarch64",
"product_id": "nodejs20-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.0-7.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@src",
"product": {
"name": "nodejs20-main@src",
"product_id": "nodejs20-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.0-7.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@x86_64",
"product": {
"name": "nodejs20-main@x86_64",
"product_id": "nodejs20-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.0-7.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@noarch",
"product": {
"name": "nodejs20-main@noarch",
"product_id": "nodejs20-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20-bin@20.20.0-7.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@aarch64"
},
"product_reference": "nodejs20-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@noarch"
},
"product_reference": "nodejs20-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@src"
},
"product_reference": "nodejs20-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@x86_64"
},
"product_reference": "nodejs20-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:7387
Vulnerability from csaf_redhat - Published: 2026-04-10 16:03 - Updated: 2026-04-20 21:34Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs22:
* nodejs22-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-bin-22.22.0-1.3.hum1 (noarch)
* nodejs22-devel-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-docs-22.22.0-1.3.hum1 (noarch)
* nodejs22-full-i18n-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-libs-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-npm-10.9.4-1.22.22.0.1.3.hum1 (noarch)
* nodejs22-npm-bin-22.22.0-1.3.hum1 (noarch)
* v8-12.4-devel-12.4.254.21-1.22.22.0.1.3.hum1 (aarch64, x86_64)
* nodejs22-22.22.0-1.3.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs22:\n * nodejs22-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-bin-22.22.0-1.3.hum1 (noarch)\n * nodejs22-devel-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-docs-22.22.0-1.3.hum1 (noarch)\n * nodejs22-full-i18n-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-libs-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-npm-10.9.4-1.22.22.0.1.3.hum1 (noarch)\n * nodejs22-npm-bin-22.22.0-1.3.hum1 (noarch)\n * v8-12.4-devel-12.4.254.21-1.22.22.0.1.3.hum1 (aarch64, x86_64)\n * nodejs22-22.22.0-1.3.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7387",
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7387.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-20T21:34:14+00:00",
"generator": {
"date": "2026-04-20T21:34:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:7387",
"initial_release_date": "2026-04-10T16:03:53+00:00",
"revision_history": [
{
"date": "2026-04-10T16:03:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-20T11:28:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-20T21:34:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@aarch64",
"product": {
"name": "nodejs22-main@aarch64",
"product_id": "nodejs22-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22@22.22.0-1.3.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@src",
"product": {
"name": "nodejs22-main@src",
"product_id": "nodejs22-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22@22.22.0-1.3.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@x86_64",
"product": {
"name": "nodejs22-main@x86_64",
"product_id": "nodejs22-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22@22.22.0-1.3.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@noarch",
"product": {
"name": "nodejs22-main@noarch",
"product_id": "nodejs22-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22-bin@22.22.0-1.3.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@aarch64"
},
"product_reference": "nodejs22-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@noarch"
},
"product_reference": "nodejs22-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@src"
},
"product_reference": "nodejs22-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@x86_64"
},
"product_reference": "nodejs22-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:7657
Vulnerability from csaf_redhat - Published: 2026-04-11 01:51 - Updated: 2026-04-20 21:34Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs24:
* nodejs24-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-bin-24.14.1-4.1.hum1 (noarch)
* nodejs24-devel-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-docs-24.14.1-4.1.hum1 (noarch)
* nodejs24-full-i18n-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-libs-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-npm-11.11.0-1.24.14.1.4.1.hum1 (noarch)
* nodejs24-npm-bin-24.14.1-4.1.hum1 (noarch)
* v8-13.6-devel-13.6.233.17-1.24.14.1.4.1.hum1 (aarch64, x86_64)
* nodejs24-24.14.1-4.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs24:\n * nodejs24-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-bin-24.14.1-4.1.hum1 (noarch)\n * nodejs24-devel-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-docs-24.14.1-4.1.hum1 (noarch)\n * nodejs24-full-i18n-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-libs-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-npm-11.11.0-1.24.14.1.4.1.hum1 (noarch)\n * nodejs24-npm-bin-24.14.1-4.1.hum1 (noarch)\n * v8-13.6-devel-13.6.233.17-1.24.14.1.4.1.hum1 (aarch64, x86_64)\n * nodejs24-24.14.1-4.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7657",
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7657.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-20T21:34:15+00:00",
"generator": {
"date": "2026-04-20T21:34:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:7657",
"initial_release_date": "2026-04-11T01:51:42+00:00",
"revision_history": [
{
"date": "2026-04-11T01:51:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-20T11:28:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-20T21:34:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@aarch64",
"product": {
"name": "nodejs24-main@aarch64",
"product_id": "nodejs24-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@src",
"product": {
"name": "nodejs24-main@src",
"product_id": "nodejs24-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@x86_64",
"product": {
"name": "nodejs24-main@x86_64",
"product_id": "nodejs24-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@noarch",
"product": {
"name": "nodejs24-main@noarch",
"product_id": "nodejs24-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-bin@24.14.1-4.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@aarch64"
},
"product_reference": "nodejs24-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@noarch"
},
"product_reference": "nodejs24-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@src"
},
"product_reference": "nodejs24-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@x86_64"
},
"product_reference": "nodejs24-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
}
]
}
SUSE-SU-2026:1299-1
Vulnerability from csaf_suse - Published: 2026-04-13 15:54 - Updated: 2026-04-13 15:54Summary
Security update for nodejs24
Severity
Important
Notes
Title of the patch: Security update for nodejs24
Description of the patch: This update for nodejs24 fixes the following issues:
- Update to 24.14.1
- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
- CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455).
- CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460).
- CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463).
- CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480).
- CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482).
- CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462).
- CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494).
Patchnames: SUSE-2026-1299,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.6 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
4.4 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
40 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs24",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs24 fixes the following issues:\n\n- Update to 24.14.1\n- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).\n- CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455).\n- CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460).\n- CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463).\n- CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480).\n- CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482).\n- CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462).\n- CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1299,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1299-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1299-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261299-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1299-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045503.html"
},
{
"category": "self",
"summary": "SUSE Bug 1256572",
"url": "https://bugzilla.suse.com/1256572"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1260455",
"url": "https://bugzilla.suse.com/1260455"
},
{
"category": "self",
"summary": "SUSE Bug 1260460",
"url": "https://bugzilla.suse.com/1260460"
},
{
"category": "self",
"summary": "SUSE Bug 1260462",
"url": "https://bugzilla.suse.com/1260462"
},
{
"category": "self",
"summary": "SUSE Bug 1260463",
"url": "https://bugzilla.suse.com/1260463"
},
{
"category": "self",
"summary": "SUSE Bug 1260480",
"url": "https://bugzilla.suse.com/1260480"
},
{
"category": "self",
"summary": "SUSE Bug 1260482",
"url": "https://bugzilla.suse.com/1260482"
},
{
"category": "self",
"summary": "SUSE Bug 1260494",
"url": "https://bugzilla.suse.com/1260494"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59464 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59464/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21710 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21710/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21712 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21712/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21713 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21713/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21714 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21714/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21715 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21715/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21716 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21716/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21717 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21717/"
}
],
"title": "Security update for nodejs24",
"tracking": {
"current_release_date": "2026-04-13T15:54:45Z",
"generator": {
"date": "2026-04-13T15:54:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1299-1",
"initial_release_date": "2026-04-13T15:54:45Z",
"revision_history": [
{
"date": "2026-04-13T15:54:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.aarch64",
"product_id": "corepack24-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"product_id": "nodejs24-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.aarch64",
"product_id": "npm24-24.14.1-150700.15.8.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.i586",
"product_id": "corepack24-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.i586",
"product_id": "nodejs24-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.i586",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.i586",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.i586",
"product_id": "npm24-24.14.1-150700.15.8.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"product": {
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"product_id": "nodejs24-docs-24.14.1-150700.15.8.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "corepack24-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "nodejs24-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "npm24-24.14.1-150700.15.8.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.s390x",
"product_id": "corepack24-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.s390x",
"product_id": "nodejs24-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.s390x",
"product_id": "npm24-24.14.1-150700.15.8.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.x86_64",
"product_id": "corepack24-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"product_id": "nodejs24-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.x86_64",
"product_id": "npm24-24.14.1-150700.15.8.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59464",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59464"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak in Node.js\u0027s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59464",
"url": "https://www.suse.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "SUSE Bug 1256572 for CVE-2025-59464",
"url": "https://bugzilla.suse.com/1256572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-21710",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21710"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21710",
"url": "https://www.suse.com/security/cve/CVE-2026-21710"
},
{
"category": "external",
"summary": "SUSE Bug 1260455 for CVE-2026-21710",
"url": "https://bugzilla.suse.com/1260455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "important"
}
],
"title": "CVE-2026-21710"
},
{
"cve": "CVE-2026-21712",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21712"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21712",
"url": "https://www.suse.com/security/cve/CVE-2026-21712"
},
{
"category": "external",
"summary": "SUSE Bug 1260460 for CVE-2026-21712",
"url": "https://bugzilla.suse.com/1260460"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21712"
},
{
"cve": "CVE-2026-21713",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21713"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21713",
"url": "https://www.suse.com/security/cve/CVE-2026-21713"
},
{
"category": "external",
"summary": "SUSE Bug 1260463 for CVE-2026-21713",
"url": "https://bugzilla.suse.com/1260463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21713"
},
{
"cve": "CVE-2026-21714",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21714"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21714",
"url": "https://www.suse.com/security/cve/CVE-2026-21714"
},
{
"category": "external",
"summary": "SUSE Bug 1260480 for CVE-2026-21714",
"url": "https://bugzilla.suse.com/1260480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21714"
},
{
"cve": "CVE-2026-21715",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21715"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21715",
"url": "https://www.suse.com/security/cve/CVE-2026-21715"
},
{
"category": "external",
"summary": "SUSE Bug 1260482 for CVE-2026-21715",
"url": "https://bugzilla.suse.com/1260482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "low"
}
],
"title": "CVE-2026-21715"
},
{
"cve": "CVE-2026-21716",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21716"
}
],
"notes": [
{
"category": "general",
"text": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21716",
"url": "https://www.suse.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "SUSE Bug 1260462 for CVE-2026-21716",
"url": "https://bugzilla.suse.com/1260462"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21716"
},
{
"cve": "CVE-2026-21717",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21717"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21717",
"url": "https://www.suse.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "SUSE Bug 1260494 for CVE-2026-21717",
"url": "https://bugzilla.suse.com/1260494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21717"
}
]
}
SUSE-SU-2026:21181-1
Vulnerability from csaf_suse - Published: 2026-04-13 10:59 - Updated: 2026-04-13 10:59Summary
Security update for nodejs24
Severity
Important
Notes
Title of the patch: Security update for nodejs24
Description of the patch: This update for nodejs24 fixes the following issues:
Update to version 24.14.1.
Security issues fixed:
- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for
performance degradation via a crafted request (bsc#1260494).
- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file
permissions and ownership on already-open file descriptors (bsc#1260462).
- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and
filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).
- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent
on stream 0 (bsc#1260480).
- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and
potential MAC forgery (bsc#1260463).
- CVE-2026-21712: assertion error caused by flaw in URL processing allows for a process crash via a URL with a
malformed IDN (bsc#1260460).
- CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a
header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).
- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or
`ALPNCallback` are in use (bsc#1256576).
- CVE-2025-59464: memory leak allows for remote denial of service against applications processing TLS client
certificates (bsc#1256572).
Other updates and bugfixes:
- Version 24.14.0:
* async_hooks: add trackPromises option to createHook()
* build,deps: replace cjs-module-lexer with merve
* deps: add LIEF as a dependency
* events: repurpose events.listenerCount() to accept EventTargets
* fs: add ignore option to fs.watch
* http: add http.setGlobalProxyFromEnv()
* module: allow subpath imports that start with #/
* process: preserve AsyncLocalStorage in queueMicrotask only when needed
* sea: split sea binary manipulation code
* sqlite: enable defensive mode by default
* sqlite: add sqlite prepare options args
* src: add initial support for ESM in embedder API
* stream: add bytes() method to node:stream/consumers
* stream: do not pass readable.compose() output via Readable.from()
* test: use fixture directories for sea tests
* test_runner: add env option to run function
* test_runner: support expecting a test-case to fail
* util: add convertProcessSignalToExitCode utility
* For details, see https://nodejs.org/en/blog/release/v24.14.0
Patchnames: SUSE-SLES-16.0-541
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.6 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
4.4 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
40 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs24",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs24 fixes the following issues:\n\nUpdate to version 24.14.1.\n\nSecurity issues fixed:\n\n- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8\u0027s string hashing mechanism allows for\n performance degradation via a crafted request (bsc#1260494).\n- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file\n permissions and ownership on already-open file descriptors (bsc#1260462).\n- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and\n filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).\n- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent\n on stream 0 (bsc#1260480).\n- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and\n potential MAC forgery (bsc#1260463).\n- CVE-2026-21712: assertion error caused by flaw in URL processing allows for a process crash via a URL with a\n malformed IDN (bsc#1260460).\n- CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a\n header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).\n- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or\n `ALPNCallback` are in use (bsc#1256576).\n- CVE-2025-59464: memory leak allows for remote denial of service against applications processing TLS client\n certificates (bsc#1256572).\n\nOther updates and bugfixes:\n\n- Version 24.14.0:\n * async_hooks: add trackPromises option to createHook()\n * build,deps: replace cjs-module-lexer with merve\n * deps: add LIEF as a dependency\n * events: repurpose events.listenerCount() to accept EventTargets\n * fs: add ignore option to fs.watch\n * http: add http.setGlobalProxyFromEnv()\n * module: allow subpath imports that start with #/\n * process: preserve AsyncLocalStorage in queueMicrotask only when needed\n * sea: split sea binary manipulation code\n * sqlite: enable defensive mode by default\n * sqlite: add sqlite prepare options args\n * src: add initial support for ESM in embedder API\n * stream: add bytes() method to node:stream/consumers\n * stream: do not pass readable.compose() output via Readable.from()\n * test: use fixture directories for sea tests\n * test_runner: add env option to run function\n * test_runner: support expecting a test-case to fail\n * util: add convertProcessSignalToExitCode utility\n * For details, see https://nodejs.org/en/blog/release/v24.14.0\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-541",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21181-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21181-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621181-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21181-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025537.html"
},
{
"category": "self",
"summary": "SUSE Bug 1256572",
"url": "https://bugzilla.suse.com/1256572"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1260455",
"url": "https://bugzilla.suse.com/1260455"
},
{
"category": "self",
"summary": "SUSE Bug 1260460",
"url": "https://bugzilla.suse.com/1260460"
},
{
"category": "self",
"summary": "SUSE Bug 1260462",
"url": "https://bugzilla.suse.com/1260462"
},
{
"category": "self",
"summary": "SUSE Bug 1260463",
"url": "https://bugzilla.suse.com/1260463"
},
{
"category": "self",
"summary": "SUSE Bug 1260480",
"url": "https://bugzilla.suse.com/1260480"
},
{
"category": "self",
"summary": "SUSE Bug 1260482",
"url": "https://bugzilla.suse.com/1260482"
},
{
"category": "self",
"summary": "SUSE Bug 1260494",
"url": "https://bugzilla.suse.com/1260494"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59464 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59464/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21710 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21710/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21712 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21712/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21713 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21713/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21714 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21714/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21715 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21715/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21716 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21716/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21717 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21717/"
}
],
"title": "Security update for nodejs24",
"tracking": {
"current_release_date": "2026-04-13T10:59:52Z",
"generator": {
"date": "2026-04-13T10:59:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21181-1",
"initial_release_date": "2026-04-13T10:59:52Z",
"revision_history": [
{
"date": "2026-04-13T10:59:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.aarch64",
"product": {
"name": "corepack24-24.14.1-160000.1.1.aarch64",
"product_id": "corepack24-24.14.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.aarch64",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.aarch64",
"product_id": "nodejs24-24.14.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.aarch64",
"product": {
"name": "npm24-24.14.1-160000.1.1.aarch64",
"product_id": "npm24-24.14.1-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"product": {
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"product_id": "nodejs24-docs-24.14.1-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "corepack24-24.14.1-160000.1.1.ppc64le",
"product_id": "corepack24-24.14.1-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.ppc64le",
"product_id": "nodejs24-24.14.1-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "npm24-24.14.1-160000.1.1.ppc64le",
"product_id": "npm24-24.14.1-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.s390x",
"product": {
"name": "corepack24-24.14.1-160000.1.1.s390x",
"product_id": "corepack24-24.14.1-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.s390x",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.s390x",
"product_id": "nodejs24-24.14.1-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.s390x",
"product": {
"name": "npm24-24.14.1-160000.1.1.s390x",
"product_id": "npm24-24.14.1-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.x86_64",
"product": {
"name": "corepack24-24.14.1-160000.1.1.x86_64",
"product_id": "corepack24-24.14.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.x86_64",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.x86_64",
"product_id": "nodejs24-24.14.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.x86_64",
"product": {
"name": "npm24-24.14.1-160000.1.1.x86_64",
"product_id": "npm24-24.14.1-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "corepack24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x"
},
"product_reference": "corepack24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "npm24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "npm24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x"
},
"product_reference": "npm24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "npm24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "corepack24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x"
},
"product_reference": "corepack24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "npm24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "npm24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x"
},
"product_reference": "npm24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "npm24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59464",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59464"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak in Node.js\u0027s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59464",
"url": "https://www.suse.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "SUSE Bug 1256572 for CVE-2025-59464",
"url": "https://bugzilla.suse.com/1256572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-21710",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21710"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21710",
"url": "https://www.suse.com/security/cve/CVE-2026-21710"
},
{
"category": "external",
"summary": "SUSE Bug 1260455 for CVE-2026-21710",
"url": "https://bugzilla.suse.com/1260455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "important"
}
],
"title": "CVE-2026-21710"
},
{
"cve": "CVE-2026-21712",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21712"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21712",
"url": "https://www.suse.com/security/cve/CVE-2026-21712"
},
{
"category": "external",
"summary": "SUSE Bug 1260460 for CVE-2026-21712",
"url": "https://bugzilla.suse.com/1260460"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21712"
},
{
"cve": "CVE-2026-21713",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21713"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21713",
"url": "https://www.suse.com/security/cve/CVE-2026-21713"
},
{
"category": "external",
"summary": "SUSE Bug 1260463 for CVE-2026-21713",
"url": "https://bugzilla.suse.com/1260463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21713"
},
{
"cve": "CVE-2026-21714",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21714"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21714",
"url": "https://www.suse.com/security/cve/CVE-2026-21714"
},
{
"category": "external",
"summary": "SUSE Bug 1260480 for CVE-2026-21714",
"url": "https://bugzilla.suse.com/1260480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21714"
},
{
"cve": "CVE-2026-21715",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21715"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21715",
"url": "https://www.suse.com/security/cve/CVE-2026-21715"
},
{
"category": "external",
"summary": "SUSE Bug 1260482 for CVE-2026-21715",
"url": "https://bugzilla.suse.com/1260482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "low"
}
],
"title": "CVE-2026-21715"
},
{
"cve": "CVE-2026-21716",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21716"
}
],
"notes": [
{
"category": "general",
"text": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21716",
"url": "https://www.suse.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "SUSE Bug 1260462 for CVE-2026-21716",
"url": "https://bugzilla.suse.com/1260462"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21716"
},
{
"cve": "CVE-2026-21717",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21717"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21717",
"url": "https://www.suse.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "SUSE Bug 1260494 for CVE-2026-21717",
"url": "https://bugzilla.suse.com/1260494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21717"
}
]
}
WID-SEC-W-2026-0098
Vulnerability from csaf_certbund - Published: 2026-01-13 23:00 - Updated: 2026-02-16 23:00Summary
Node.js: Mehrere Schwachstellen
Severity
Kritisch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um beliebigen Code auszuführen, erweiterte Berechtigungen zu erlangen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
References
24 references
{
"document": {
"aggregate_severity": {
"text": "kritisch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um beliebigen Code auszuf\u00fchren, erweiterte Berechtigungen zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0098 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0098.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0098 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0098"
},
{
"category": "external",
"summary": "NodeJS Security Release vom 2026-01-13",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0295-1 vom 2026-01-26",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNEEHSNPEIHXCGDJ2EAF4CD5OEXEYCQU/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0301-1 vom 2026-01-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023926.html"
},
{
"category": "external",
"summary": "Exploit CVE-2025-55130 vom 2026-02-01",
"url": "https://github.com/scumfrog/CVE-2025-55130"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-1843 vom 2026-02-05",
"url": "https://linux.oracle.com/errata/ELSA-2026-1843.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-1842 vom 2026-02-05",
"url": "https://linux.oracle.com/errata/ELSA-2026-1842.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:1843 vom 2026-02-05",
"url": "https://access.redhat.com/errata/RHSA-2026:1843"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:1842 vom 2026-02-05",
"url": "https://access.redhat.com/errata/RHSA-2026:1842"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:1842 vom 2026-02-06",
"url": "https://errata.build.resf.org/RLSA-2026:1842"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:1843 vom 2026-02-06",
"url": "https://errata.build.resf.org/RLSA-2026:1843"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2422 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2422"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2420 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2420"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2420 vom 2026-02-11",
"url": "https://errata.build.resf.org/RLSA-2026:2420"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2421 vom 2026-02-11",
"url": "https://errata.build.resf.org/RLSA-2026:2421"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2422 vom 2026-02-11",
"url": "https://errata.build.resf.org/RLSA-2026:2422"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2420 vom 2026-02-11",
"url": "https://linux.oracle.com/errata/ELSA-2026-2420.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2421 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2421"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0435-1 vom 2026-02-11",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024113.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2422 vom 2026-02-12",
"url": "https://linux.oracle.com/errata/ELSA-2026-2422.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0457-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024134.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2421 vom 2026-02-13",
"url": "https://linux.oracle.com/errata/ELSA-2026-2421.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2768 vom 2026-02-17",
"url": "https://access.redhat.com/errata/RHSA-2026:2768"
}
],
"source_lang": "en-US",
"title": "Node.js: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-02-16T23:00:00.000+00:00",
"generator": {
"date": "2026-02-17T09:05:32.093+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0098",
"initial_release_date": "2026-01-13T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-13T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-01-20T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-3331, EUVD-2026-3327, EUVD-2026-3325, EUVD-2026-3323, EUVD-2026-3340, EUVD-2026-3339, EUVD-2026-3338"
},
{
"date": "2026-01-21T23:00:00.000+00:00",
"number": "3",
"summary": "Referenz(en) aufgenommen: EUVD-2026-3334"
},
{
"date": "2026-01-26T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-01-27T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-01T23:00:00.000+00:00",
"number": "6",
"summary": "Exploit f\u00fcr CVE-2025-55130 aufgenommen"
},
{
"date": "2026-02-04T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2026-02-05T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-02-09T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-02-10T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat, Rocky Enterprise Software Foundation und Oracle Linux aufgenommen"
},
{
"date": "2026-02-11T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-12T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von SUSE und Oracle Linux aufgenommen"
},
{
"date": "2026-02-16T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "13"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c20.20.0",
"product": {
"name": "Open Source Node.js \u003c20.20.0",
"product_id": "T049912"
}
},
{
"category": "product_version",
"name": "20.20.0",
"product": {
"name": "Open Source Node.js 20.20.0",
"product_id": "T049912-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:20.20.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c22.22.0",
"product": {
"name": "Open Source Node.js \u003c22.22.0",
"product_id": "T049913"
}
},
{
"category": "product_version",
"name": "22.22.0",
"product": {
"name": "Open Source Node.js 22.22.0",
"product_id": "T049913-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:22.22.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c24.13.0",
"product": {
"name": "Open Source Node.js \u003c24.13.0",
"product_id": "T049914"
}
},
{
"category": "product_version",
"name": "24.13.0",
"product": {
"name": "Open Source Node.js 24.13.0",
"product_id": "T049914-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:24.13.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c25.3.0",
"product": {
"name": "Open Source Node.js \u003c25.3.0",
"product_id": "T049915"
}
},
{
"category": "product_version",
"name": "25.3.0",
"product": {
"name": "Open Source Node.js 25.3.0",
"product_id": "T049915-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:25.3.0"
}
}
}
],
"category": "product_name",
"name": "Node.js"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-55130"
},
{
"cve": "CVE-2025-55131",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-55131"
},
{
"cve": "CVE-2025-55132",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-55132"
},
{
"cve": "CVE-2025-59464",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2025-59465",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-59465"
},
{
"cve": "CVE-2025-59466",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-59466"
},
{
"cve": "CVE-2026-21636",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2026-21636"
},
{
"cve": "CVE-2026-21637",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"T002207",
"67646",
"T049915",
"T004914",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2026-21637"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…