OPENSUSE-SU-2026:10504-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10504-1

Vulnerability from csaf_opensuse - Published: 2026-04-08 00:00 - Updated: 2026-04-08 00:00

Summary

corepack24-24.14.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: corepack24-24.14.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the corepack24-24.14.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10504

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-21710

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21712

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21713

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21714

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21715

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21716

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-21717

6.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-21710/	self
	https://www.suse.com/security/cve/CVE-2026-21712/	self
	https://www.suse.com/security/cve/CVE-2026-21713/	self
	https://www.suse.com/security/cve/CVE-2026-21714/	self
	https://www.suse.com/security/cve/CVE-2026-21715/	self
	https://www.suse.com/security/cve/CVE-2026-21716/	self
	https://www.suse.com/security/cve/CVE-2026-21717/	self
	https://www.suse.com/security/cve/CVE-2026-21710	external
	https://bugzilla.suse.com/1260455	external
	https://www.suse.com/security/cve/CVE-2026-21712	external
	https://bugzilla.suse.com/1260460	external
	https://www.suse.com/security/cve/CVE-2026-21713	external
	https://bugzilla.suse.com/1260463	external
	https://www.suse.com/security/cve/CVE-2026-21714	external
	https://bugzilla.suse.com/1260480	external
	https://www.suse.com/security/cve/CVE-2026-21715	external
	https://bugzilla.suse.com/1260482	external
	https://www.suse.com/security/cve/CVE-2026-21716	external
	https://bugzilla.suse.com/1260462	external
	https://www.suse.com/security/cve/CVE-2026-21717	external
	https://bugzilla.suse.com/1260494	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "corepack24-24.14.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the corepack24-24.14.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10504",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10504-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21710 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21710/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21712 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21712/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21713 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21713/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21714 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21714/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21715 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21715/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21716 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21716/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-21717 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-21717/"
      }
    ],
    "title": "corepack24-24.14.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-08T00:00:00Z",
      "generator": {
        "date": "2026-04-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10504-1",
      "initial_release_date": "2026-04-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack24-24.14.1-1.1.aarch64",
                "product": {
                  "name": "corepack24-24.14.1-1.1.aarch64",
                  "product_id": "corepack24-24.14.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-24.14.1-1.1.aarch64",
                "product": {
                  "name": "nodejs24-24.14.1-1.1.aarch64",
                  "product_id": "nodejs24-24.14.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-devel-24.14.1-1.1.aarch64",
                "product": {
                  "name": "nodejs24-devel-24.14.1-1.1.aarch64",
                  "product_id": "nodejs24-devel-24.14.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-docs-24.14.1-1.1.aarch64",
                "product": {
                  "name": "nodejs24-docs-24.14.1-1.1.aarch64",
                  "product_id": "nodejs24-docs-24.14.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "npm24-24.14.1-1.1.aarch64",
                "product": {
                  "name": "npm24-24.14.1-1.1.aarch64",
                  "product_id": "npm24-24.14.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack24-24.14.1-1.1.ppc64le",
                "product": {
                  "name": "corepack24-24.14.1-1.1.ppc64le",
                  "product_id": "corepack24-24.14.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-24.14.1-1.1.ppc64le",
                "product": {
                  "name": "nodejs24-24.14.1-1.1.ppc64le",
                  "product_id": "nodejs24-24.14.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-devel-24.14.1-1.1.ppc64le",
                "product": {
                  "name": "nodejs24-devel-24.14.1-1.1.ppc64le",
                  "product_id": "nodejs24-devel-24.14.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-docs-24.14.1-1.1.ppc64le",
                "product": {
                  "name": "nodejs24-docs-24.14.1-1.1.ppc64le",
                  "product_id": "nodejs24-docs-24.14.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "npm24-24.14.1-1.1.ppc64le",
                "product": {
                  "name": "npm24-24.14.1-1.1.ppc64le",
                  "product_id": "npm24-24.14.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack24-24.14.1-1.1.s390x",
                "product": {
                  "name": "corepack24-24.14.1-1.1.s390x",
                  "product_id": "corepack24-24.14.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-24.14.1-1.1.s390x",
                "product": {
                  "name": "nodejs24-24.14.1-1.1.s390x",
                  "product_id": "nodejs24-24.14.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-devel-24.14.1-1.1.s390x",
                "product": {
                  "name": "nodejs24-devel-24.14.1-1.1.s390x",
                  "product_id": "nodejs24-devel-24.14.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-docs-24.14.1-1.1.s390x",
                "product": {
                  "name": "nodejs24-docs-24.14.1-1.1.s390x",
                  "product_id": "nodejs24-docs-24.14.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "npm24-24.14.1-1.1.s390x",
                "product": {
                  "name": "npm24-24.14.1-1.1.s390x",
                  "product_id": "npm24-24.14.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "corepack24-24.14.1-1.1.x86_64",
                "product": {
                  "name": "corepack24-24.14.1-1.1.x86_64",
                  "product_id": "corepack24-24.14.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-24.14.1-1.1.x86_64",
                "product": {
                  "name": "nodejs24-24.14.1-1.1.x86_64",
                  "product_id": "nodejs24-24.14.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-devel-24.14.1-1.1.x86_64",
                "product": {
                  "name": "nodejs24-devel-24.14.1-1.1.x86_64",
                  "product_id": "nodejs24-devel-24.14.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nodejs24-docs-24.14.1-1.1.x86_64",
                "product": {
                  "name": "nodejs24-docs-24.14.1-1.1.x86_64",
                  "product_id": "nodejs24-docs-24.14.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "npm24-24.14.1-1.1.x86_64",
                "product": {
                  "name": "npm24-24.14.1-1.1.x86_64",
                  "product_id": "npm24-24.14.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack24-24.14.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64"
        },
        "product_reference": "corepack24-24.14.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack24-24.14.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le"
        },
        "product_reference": "corepack24-24.14.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack24-24.14.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x"
        },
        "product_reference": "corepack24-24.14.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "corepack24-24.14.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64"
        },
        "product_reference": "corepack24-24.14.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-24.14.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64"
        },
        "product_reference": "nodejs24-24.14.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-24.14.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le"
        },
        "product_reference": "nodejs24-24.14.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-24.14.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x"
        },
        "product_reference": "nodejs24-24.14.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-24.14.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64"
        },
        "product_reference": "nodejs24-24.14.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-devel-24.14.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64"
        },
        "product_reference": "nodejs24-devel-24.14.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-devel-24.14.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le"
        },
        "product_reference": "nodejs24-devel-24.14.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-devel-24.14.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x"
        },
        "product_reference": "nodejs24-devel-24.14.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-devel-24.14.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64"
        },
        "product_reference": "nodejs24-devel-24.14.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-docs-24.14.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64"
        },
        "product_reference": "nodejs24-docs-24.14.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-docs-24.14.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le"
        },
        "product_reference": "nodejs24-docs-24.14.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-docs-24.14.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x"
        },
        "product_reference": "nodejs24-docs-24.14.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs24-docs-24.14.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64"
        },
        "product_reference": "nodejs24-docs-24.14.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm24-24.14.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64"
        },
        "product_reference": "npm24-24.14.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm24-24.14.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le"
        },
        "product_reference": "npm24-24.14.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm24-24.14.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x"
        },
        "product_reference": "npm24-24.14.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "npm24-24.14.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        },
        "product_reference": "npm24-24.14.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21710",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21710"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21710",
          "url": "https://www.suse.com/security/cve/CVE-2026-21710"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260455 for CVE-2026-21710",
          "url": "https://bugzilla.suse.com/1260455"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-21710"
    },
    {
      "cve": "CVE-2026-21712",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21712"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21712",
          "url": "https://www.suse.com/security/cve/CVE-2026-21712"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260460 for CVE-2026-21712",
          "url": "https://bugzilla.suse.com/1260460"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21712"
    },
    {
      "cve": "CVE-2026-21713",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21713"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21713",
          "url": "https://www.suse.com/security/cve/CVE-2026-21713"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260463 for CVE-2026-21713",
          "url": "https://bugzilla.suse.com/1260463"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21713"
    },
    {
      "cve": "CVE-2026-21714",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21714"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21714",
          "url": "https://www.suse.com/security/cve/CVE-2026-21714"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260480 for CVE-2026-21714",
          "url": "https://bugzilla.suse.com/1260480"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21714"
    },
    {
      "cve": "CVE-2026-21715",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21715"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21715",
          "url": "https://www.suse.com/security/cve/CVE-2026-21715"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260482 for CVE-2026-21715",
          "url": "https://bugzilla.suse.com/1260482"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-21715"
    },
    {
      "cve": "CVE-2026-21716",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21716"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21716",
          "url": "https://www.suse.com/security/cve/CVE-2026-21716"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260462 for CVE-2026-21716",
          "url": "https://bugzilla.suse.com/1260462"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21716"
    },
    {
      "cve": "CVE-2026-21717",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-21717"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
          "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-21717",
          "url": "https://www.suse.com/security/cve/CVE-2026-21717"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260494 for CVE-2026-21717",
          "url": "https://bugzilla.suse.com/1260494"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:corepack24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-devel-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:nodejs24-docs-24.14.1-1.1.x86_64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.aarch64",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.ppc64le",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.s390x",
            "openSUSE Tumbleweed:npm24-24.14.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-21717"
    }
  ]
}

CVE-2026-21714 (GCVE-0-2026-21714)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 18:05

Summary

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

hackerone

References

URL

Tags

https://nodejs.org/en/blog/vulnerability/march-20…

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 20.20.1 , ≤ 20.20.1 (semver) Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21714",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T16:14:45.777607Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T18:05:22.283Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.20.1",
              "status": "affected",
              "version": "20.20.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.22.1",
              "status": "affected",
              "version": "22.22.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:07:28.317Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21714",
    "datePublished": "2026-03-30T19:07:28.317Z",
    "dateReserved": "2026-01-04T15:00:06.574Z",
    "dateUpdated": "2026-03-31T18:05:22.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21710 (GCVE-0-2026-21710)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 13:55

Summary

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

hackerone

References

URL

Tags

https://nodejs.org/en/blog/vulnerability/march-20…

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 20.20.1 , ≤ 20.20.1 (semver) Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21710",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T13:55:20.665443Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T13:55:23.719Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.20.1",
              "status": "affected",
              "version": "20.20.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.22.1",
              "status": "affected",
              "version": "22.22.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            },
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:07:28.558Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21710",
    "datePublished": "2026-03-30T19:07:28.558Z",
    "dateReserved": "2026-01-04T15:00:06.574Z",
    "dateUpdated": "2026-03-31T13:55:23.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21716 (GCVE-0-2026-21716)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 14:27

Summary

An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.

Severity ?

3.3 (Low)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-862 - Missing Authorization

Assigner

hackerone

References

URL

Tags

https://nodejs.org/en/blog/vulnerability/march-20…

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 20.20.1 , ≤ 20.20.1 (semver) Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21716",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T14:27:06.373734Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "CWE-862 Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T14:27:23.323Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.20.1",
              "status": "affected",
              "version": "20.20.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.22.1",
              "status": "affected",
              "version": "22.22.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:07:28.538Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21716",
    "datePublished": "2026-03-30T19:07:28.538Z",
    "dateReserved": "2026-01-04T15:00:06.575Z",
    "dateUpdated": "2026-03-31T14:27:23.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21717 (GCVE-0-2026-21717)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-30 19:46

Summary

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Assigner

hackerone

References

URL

Tags

https://nodejs.org/en/blog/vulnerability/march-20…

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 20.20.1 , ≤ 20.20.1 (semver) Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21717",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T19:46:02.350544Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T19:46:10.357Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.20.1",
              "status": "affected",
              "version": "20.20.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.22.1",
              "status": "affected",
              "version": "22.22.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            },
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:07:28.415Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21717",
    "datePublished": "2026-03-30T19:07:28.415Z",
    "dateReserved": "2026-01-04T15:00:06.575Z",
    "dateUpdated": "2026-03-30T19:46:10.357Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21715 (GCVE-0-2026-21715)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-04-01 15:02

Summary

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.

Severity ?

3.3 (Low)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource

Assigner

hackerone

References

URL

Tags

https://nodejs.org/en/blog/vulnerability/march-20…

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 20.20.1 , ≤ 20.20.1 (semver) Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T14:55:13.031405Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-732",
                "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T15:02:10.706Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.20.1",
              "status": "affected",
              "version": "20.20.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.22.1",
              "status": "affected",
              "version": "22.22.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            },
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:07:28.507Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21715",
    "datePublished": "2026-03-30T19:07:28.507Z",
    "dateReserved": "2026-01-04T15:00:06.574Z",
    "dateUpdated": "2026-04-01T15:02:10.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21712 (GCVE-0-2026-21712)

Vulnerability from cvelistv5 – Published: 2026-03-30 15:13 – Updated: 2026-03-30 15:52

Summary

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

Severity ?

5.7 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Assigner

hackerone

References

URL

Tags

	https://nodejs.org/en/blog/vulnerability/march-20…
	https://hackerone.com/reports/3546390

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21712",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T15:52:17.619170Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T15:52:42.507Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T15:13:59.172Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        },
        {
          "url": "https://hackerone.com/reports/3546390"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21712",
    "datePublished": "2026-03-30T15:13:59.172Z",
    "dateReserved": "2026-01-04T15:00:06.574Z",
    "dateUpdated": "2026-03-30T15:52:42.507Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21713 (GCVE-0-2026-21713)

Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-30 19:45

Summary

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Assigner

hackerone

References

URL

Tags

https://nodejs.org/en/blog/vulnerability/march-20…

Impacted products

	Vendor	Product	Version
	nodejs	node	Affected: 20.20.1 , ≤ 20.20.1 (semver) Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21713",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T19:45:13.027379Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T19:45:22.905Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.20.1",
              "status": "affected",
              "version": "20.20.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.22.1",
              "status": "affected",
              "version": "22.22.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.14.0",
              "status": "affected",
              "version": "24.14.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.8.1",
              "status": "affected",
              "version": "25.8.1",
              "versionType": "semver"
            },
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "19.*",
              "status": "affected",
              "version": "19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T19:07:28.356Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21713",
    "datePublished": "2026-03-30T19:07:28.356Z",
    "dateReserved": "2026-01-04T15:00:06.574Z",
    "dateUpdated": "2026-03-30T19:45:22.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.