Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    112 vulnerabilities found for node by nodejs

    CVE-2026-48930 (GCVE-0-2026-48930)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 13:37
    VLAI
    Summary
    A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control - Generic
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48930",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:37:29.781800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:37:46.190Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control - Generic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:37.006Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48930",
        "datePublished": "2026-06-26T01:14:37.006Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-26T13:37:46.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48928 (GCVE-0-2026-48928)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 13:36
    VLAI
    Summary
    A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control - Generic
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48928",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:36:17.302009Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:36:28.487Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control - Generic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.981Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48928",
        "datePublished": "2026-06-26T01:14:36.981Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-26T13:36:28.487Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48934 (GCVE-0-2026-48934)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-29 12:40
    VLAI
    Summary
    A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48934",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:35:45.737892Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-295",
                    "description": "CWE-295 Improper Certificate Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T12:40:27.051Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.894Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48934",
        "datePublished": "2026-06-26T01:14:36.894Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-29T12:40:27.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48936 (GCVE-0-2026-48936)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 13:35
    VLAI
    Summary
    A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control - Generic
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48936",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:35:18.745870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:35:27.884Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.\r\n\r\nThis vulnerability affects one supported release line: **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control - Generic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.878Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48936",
        "datePublished": "2026-06-26T01:14:36.878Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-26T13:35:27.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48618 (GCVE-0-2026-48618)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 15:10
    VLAI
    Summary
    A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-176 - Improper Handling of Unicode Encoding
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48618",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:10:27.583362Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:10:40.049Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\r\n\r\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-176",
                  "description": "CWE-176 Improper Handling of Unicode Encoding",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.868Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48618",
        "datePublished": "2026-06-26T01:14:36.868Z",
        "dateReserved": "2026-05-22T15:00:09.276Z",
        "dateUpdated": "2026-06-26T15:10:40.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48933 (GCVE-0-2026-48933)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-30 12:09
    VLAI
    Summary
    A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48933",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:05:58.547904Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:06:12.149Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-26T01:14:36.823Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:57.110Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-48933"
              },
              {
                "name": "RHBZ#2493331",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48933.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9455"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:28727"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:29012"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7378"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:30172"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:9455: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:28727: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:29012: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7378: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:30172: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-26T02:01:39.107Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-26T01:14:36.823Z",
                "value": "Made public."
              }
            ],
            "title": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190 Integer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.823Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48933",
        "datePublished": "2026-06-26T01:14:36.823Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-30T12:09:57.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48935 (GCVE-0-2026-48935)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 15:05
    VLAI
    Summary
    A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:04:33.702023Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:05:20.661Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276 Incorrect Default Permissions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.641Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48935",
        "datePublished": "2026-06-26T01:14:36.641Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-26T15:05:20.661Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48619 (GCVE-0-2026-48619)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 15:01
    VLAI
    Summary
    A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:01:30.143238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:01:43.942Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.541Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48619",
        "datePublished": "2026-06-26T01:14:36.541Z",
        "dateReserved": "2026-05-22T15:00:09.276Z",
        "dateUpdated": "2026-06-26T15:01:43.942Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48615 (GCVE-0-2026-48615)

    Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 13:35
    VLAI
    Summary
    A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:34:45.532887Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:35:00.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\r\n\r\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359 Privacy Violation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T01:14:36.524Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48615",
        "datePublished": "2026-06-26T01:14:36.524Z",
        "dateReserved": "2026-05-22T15:00:09.276Z",
        "dateUpdated": "2026-06-26T13:35:00.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48931 (GCVE-0-2026-48931)

    Vulnerability from cvelistv5 – Published: 2026-06-22 18:59 – Updated: 2026-07-03 00:32
    VLAI
    Summary
    A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-07-03T00:32:38.949Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://jdstaerk.substack.com/p/nodejs-security-fix-silently-broke"
              },
              {
                "url": "https://github.com/nodejs/node/issues/63989"
              },
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/07/02/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48931",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:14:24.449951Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:16:21.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T18:59:30.822Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48931",
        "datePublished": "2026-06-22T18:59:30.822Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-07-03T00:32:38.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48937 (GCVE-0-2026-48937)

    Vulnerability from cvelistv5 – Published: 2026-06-18 18:01 – Updated: 2026-06-18 18:44
    VLAI
    Summary
    A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48937",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T18:43:55.210236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T18:44:02.018Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T18:01:39.780Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            },
            {
              "url": "https://hackerone.com/reports/3658225"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48937",
        "datePublished": "2026-06-18T18:01:39.780Z",
        "dateReserved": "2026-05-26T15:00:06.427Z",
        "dateUpdated": "2026-06-18T18:44:02.018Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48617 (GCVE-0-2026-48617)

    Vulnerability from cvelistv5 – Published: 2026-06-18 16:21 – Updated: 2026-06-18 18:34
    VLAI
    Summary
    A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control - Generic
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 22.22.3 , ≤ 22.22.3 (semver)
    Affected: 24.16.0 , ≤ 24.16.0 (semver)
    Affected: 26.3.0 , ≤ 26.3.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48617",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T18:27:45.392825Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T18:34:10.166Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "22.22.3",
                  "status": "affected",
                  "version": "22.22.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.16.0",
                  "status": "affected",
                  "version": "24.16.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "26.3.0",
                  "status": "affected",
                  "version": "26.3.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control - Generic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T16:21:12.097Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
            },
            {
              "url": "http://hackerone.com/reports/3692858"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-48617",
        "datePublished": "2026-06-18T16:21:12.097Z",
        "dateReserved": "2026-05-22T15:00:09.276Z",
        "dateUpdated": "2026-06-18T18:34:10.166Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21710 (GCVE-0-2026-21710)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    • CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.20.1 , ≤ 20.20.1 (semver)
    Affected: 22.22.1 , ≤ 22.22.1 (semver)
    Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Affected: 19.0 , < 19.* (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21710",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T13:55:20.665443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T13:55:23.719Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-30T19:07:28.558Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named `__proto__`. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an application crash. This can result in a Denial of Service (DoS), making the affected service unavailable to users."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-843",
                    "description": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:49.798Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21710"
              },
              {
                "name": "RHBZ#2453151",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453151"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21710.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7310"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7080"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7675"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:8339"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7670"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9711"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9874"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7983"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7896"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7302"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7350"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:7310: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7080: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7675: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:8339: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7123: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7670: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9711: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9874: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7896: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7302: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7350: Red Hat Enterprise Linux AppStream (v. 9)"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-30T20:01:21.196Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-30T19:07:28.558Z",
                "value": "Made public."
              }
            ],
            "title": "Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.20.1",
                  "status": "affected",
                  "version": "20.20.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.22.1",
                  "status": "affected",
                  "version": "22.22.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.*",
                  "status": "affected",
                  "version": "19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.558Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21710",
        "datePublished": "2026-03-30T19:07:28.558Z",
        "dateReserved": "2026-01-04T15:00:06.574Z",
        "dateUpdated": "2026-06-30T12:06:49.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21716 (GCVE-0-2026-21716)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 14:27
    VLAI
    Summary
    An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.20.1 , ≤ 20.20.1 (semver)
    Affected: 22.22.1 , ≤ 22.22.1 (semver)
    Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T14:27:06.373734Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T14:27:23.323Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.20.1",
                  "status": "affected",
                  "version": "20.20.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.22.1",
                  "status": "affected",
                  "version": "22.22.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.538Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21716",
        "datePublished": "2026-03-30T19:07:28.538Z",
        "dateReserved": "2026-01-04T15:00:06.575Z",
        "dateUpdated": "2026-03-31T14:27:23.323Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21711 (GCVE-0-2026-21711)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-04-01 15:03
    VLAI
    Summary
    A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Affected: 19.0 , < 19.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21711",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T15:02:57.115426Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T15:03:21.612Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.*",
                  "status": "affected",
                  "version": "19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.526Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21711",
        "datePublished": "2026-03-30T19:07:28.526Z",
        "dateReserved": "2026-01-04T15:00:06.574Z",
        "dateUpdated": "2026-04-01T15:03:21.612Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21715 (GCVE-0-2026-21715)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-04-01 15:02
    VLAI
    Summary
    A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.20.1 , ≤ 20.20.1 (semver)
    Affected: 22.22.1 , ≤ 22.22.1 (semver)
    Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Affected: 19.0 , < 19.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21715",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T14:55:13.031405Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-732",
                    "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T15:02:10.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.20.1",
                  "status": "affected",
                  "version": "20.20.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.22.1",
                  "status": "affected",
                  "version": "22.22.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.*",
                  "status": "affected",
                  "version": "19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.507Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21715",
        "datePublished": "2026-03-30T19:07:28.507Z",
        "dateReserved": "2026-01-04T15:00:06.574Z",
        "dateUpdated": "2026-04-01T15:02:10.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21717 (GCVE-0-2026-21717)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-05-10 13:16
    VLAI
    Summary
    A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.20.1 , ≤ 20.20.1 (semver)
    Affected: 22.22.1 , ≤ 22.22.1 (semver)
    Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Affected: 19.0 , < 19.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21717",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-30T19:46:02.350544Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-328",
                    "description": "CWE-328 Use of Weak Hash",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-10T13:16:01.620Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.20.1",
                  "status": "affected",
                  "version": "20.20.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.22.1",
                  "status": "affected",
                  "version": "22.22.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.*",
                  "status": "affected",
                  "version": "19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.415Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21717",
        "datePublished": "2026-03-30T19:07:28.415Z",
        "dateReserved": "2026-01-04T15:00:06.575Z",
        "dateUpdated": "2026-05-10T13:16:01.620Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21713 (GCVE-0-2026-21713)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-05-10 13:17
    VLAI
    Summary
    A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-208 - Observable Timing Discrepancy
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.20.1 , ≤ 20.20.1 (semver)
    Affected: 22.22.1 , ≤ 22.22.1 (semver)
    Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Affected: 19.0 , < 19.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21713",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-30T19:45:13.027379Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-208",
                    "description": "CWE-208 Observable Timing Discrepancy",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-10T13:17:50.281Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.20.1",
                  "status": "affected",
                  "version": "20.20.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.22.1",
                  "status": "affected",
                  "version": "22.22.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.*",
                  "status": "affected",
                  "version": "19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.356Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21713",
        "datePublished": "2026-03-30T19:07:28.356Z",
        "dateReserved": "2026-01-04T15:00:06.574Z",
        "dateUpdated": "2026-05-10T13:17:50.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21714 (GCVE-0-2026-21714)

    Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 18:05
    VLAI
    Summary
    A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.20.1 , ≤ 20.20.1 (semver)
    Affected: 22.22.1 , ≤ 22.22.1 (semver)
    Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21714",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T16:14:45.777607Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-401",
                    "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T18:05:22.283Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.20.1",
                  "status": "affected",
                  "version": "20.20.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.22.1",
                  "status": "affected",
                  "version": "22.22.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T19:07:28.317Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21714",
        "datePublished": "2026-03-30T19:07:28.317Z",
        "dateReserved": "2026-01-04T15:00:06.574Z",
        "dateUpdated": "2026-03-31T18:05:22.283Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21712 (GCVE-0-2026-21712)

    Vulnerability from cvelistv5 – Published: 2026-03-30 15:13 – Updated: 2026-05-10 13:16
    VLAI
    Summary
    A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 24.14.0 , ≤ 24.14.0 (semver)
    Affected: 25.8.1 , ≤ 25.8.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21712",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-30T15:52:17.619170Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-10T13:16:37.222Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "24.14.0",
                  "status": "affected",
                  "version": "24.14.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.8.1",
                  "status": "affected",
                  "version": "25.8.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-30T15:13:59.172Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
            },
            {
              "url": "https://hackerone.com/reports/3546390"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21712",
        "datePublished": "2026-03-30T15:13:59.172Z",
        "dateReserved": "2026-01-04T15:00:06.574Z",
        "dateUpdated": "2026-05-10T13:16:37.222Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21636 (GCVE-0-2026-21636)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 18:52
    VLAI
    Summary
    A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T18:38:13.137061Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T18:52:53.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.\n\n* The issue affects users of the Node.js permission model on version v25.\n\nIn the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.700Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21636",
        "datePublished": "2026-01-20T20:41:55.700Z",
        "dateReserved": "2026-01-01T15:00:02.339Z",
        "dateUpdated": "2026-01-21T18:52:53.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59466 (GCVE-0-2025-59466)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 18:52
    VLAI
    Summary
    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
    Affected: 22.21.1 , ≤ 22.21.1 (semver)
    Affected: 24.12.0 , ≤ 24.12.0 (semver)
    Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59466",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T18:38:35.920729Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-248",
                    "description": "CWE-248 Uncaught Exception",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T18:52:57.892Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.19.6",
                  "status": "affected",
                  "version": "20.19.6",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.21.1",
                  "status": "affected",
                  "version": "22.21.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.628Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-59466",
        "datePublished": "2026-01-20T20:41:55.628Z",
        "dateReserved": "2025-09-16T15:00:07.876Z",
        "dateUpdated": "2026-01-21T18:52:57.892Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55132 (GCVE-0-2025-55132)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 18:53
    VLAI
    Summary
    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
    Affected: 22.21.1 , ≤ 22.21.1 (semver)
    Affected: 24.12.0 , ≤ 24.12.0 (semver)
    Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T18:38:44.471272Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T18:53:03.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.19.6",
                  "status": "affected",
                  "version": "20.19.6",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.21.1",
                  "status": "affected",
                  "version": "22.21.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js\u0027s permission model allows a file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.620Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-55132",
        "datePublished": "2026-01-20T20:41:55.620Z",
        "dateReserved": "2025-08-07T15:00:05.576Z",
        "dateUpdated": "2026-01-21T18:53:03.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59464 (GCVE-0-2025-59464)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 20:41
    VLAI
    Summary
    A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 24.12.0 , < 24.12.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59464",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:40:07.879640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:41:09.437Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThan": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.599Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-59464",
        "datePublished": "2026-01-20T20:41:55.599Z",
        "dateReserved": "2025-09-16T15:00:07.875Z",
        "dateUpdated": "2026-01-21T20:41:09.437Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55131 (GCVE-0-2025-55131)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-06-30 12:07
    VLAI
    Summary
    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
    Assigner
    References
    URL Tags
    https://nodejs.org/en/blog/vulnerability/december…
    https://access.redhat.com/security/cve/CVE-2025-55131 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2431350 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:2899 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:1843 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:1842 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2422 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2421 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2420 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2768 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2767 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2864 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2783 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2782 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2781 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7386 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7387 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6402 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6431 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
    Affected: 22.21.1 , ≤ 22.21.1 (semver)
    Affected: 24.12.0 , ≤ 24.12.0 (semver)
    Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55131",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T04:55:31.057208Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-120",
                    "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T15:11:22.041Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T20:41:55.591Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-497",
                    "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:17.759Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
              },
              {
                "name": "RHBZ#2431350",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55131.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2899"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1843"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1842"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2422"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2421"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2420"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2768"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2767"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2864"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2783"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2782"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2781"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7386"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7387"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6402"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6431"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:2899: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1843: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1842: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2422: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2421: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2420: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2768: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2767: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2864: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2783: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2782: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2781: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7386: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7387: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6402: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6431: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-20T21:02:45.759Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T20:41:55.591Z",
                "value": "Made public."
              }
            ],
            "title": "nodejs: Nodejs uninitialized memory exposure",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.19.6",
                  "status": "affected",
                  "version": "20.19.6",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.21.1",
                  "status": "affected",
                  "version": "22.21.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.591Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-55131",
        "datePublished": "2026-01-20T20:41:55.591Z",
        "dateReserved": "2025-08-07T15:00:05.576Z",
        "dateUpdated": "2026-06-30T12:07:17.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55130 (GCVE-0-2025-55130)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-06-30 12:07
    VLAI
    Summary
    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-289 - Authentication Bypass by Alternate Name
    • CWE-281 - Improper Preservation of Permissions
    Assigner
    References
    URL Tags
    https://nodejs.org/en/blog/vulnerability/december…
    https://access.redhat.com/security/cve/CVE-2025-55130 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2431352 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:2899 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:1843 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:1842 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2422 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2421 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2420 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2768 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2767 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2864 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2783 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2782 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2781 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7386 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7387 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6402 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6431 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
    Affected: 22.21.1 , ≤ 22.21.1 (semver)
    Affected: 24.12.0 , ≤ 24.12.0 (semver)
    Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-22T04:55:29.925532Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-289",
                    "description": "CWE-289 Authentication Bypass by Alternate Name",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T14:44:42.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T20:41:55.393Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-281",
                    "description": "Improper Preservation of Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:18.054Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
              },
              {
                "name": "RHBZ#2431352",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55130.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2899"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1843"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1842"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2422"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2421"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2420"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2768"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2767"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2864"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2783"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2782"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2781"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7386"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7387"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6402"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6431"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:2899: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1843: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1842: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2422: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2421: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2420: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2768: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2767: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2864: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2783: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2782: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2781: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7386: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7387: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6402: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6431: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-20T21:03:01.083Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T20:41:55.393Z",
                "value": "Made public."
              }
            ],
            "title": "nodejs: Nodejs file permissions bypass",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.19.6",
                  "status": "affected",
                  "version": "20.19.6",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.21.1",
                  "status": "affected",
                  "version": "22.21.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.393Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-55130",
        "datePublished": "2026-01-20T20:41:55.393Z",
        "dateReserved": "2025-08-07T15:00:05.576Z",
        "dateUpdated": "2026-06-30T12:07:18.054Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21637 (GCVE-0-2026-21637)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 20:22
    VLAI
    Summary
    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
    Affected: 22.21.1 , ≤ 22.21.1 (semver)
    Affected: 24.12.0 , ≤ 24.12.0 (semver)
    Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21637",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:22:28.525038Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:22:51.033Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.19.6",
                  "status": "affected",
                  "version": "20.19.6",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.21.1",
                  "status": "affected",
                  "version": "22.21.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.352Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2026-21637",
        "datePublished": "2026-01-20T20:41:55.352Z",
        "dateReserved": "2026-01-01T15:00:02.339Z",
        "dateUpdated": "2026-01-21T20:22:51.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59465 (GCVE-0-2025-59465)

    Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-06-30 12:07
    VLAI
    Summary
    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-248 - Uncaught Exception
    Assigner
    References
    URL Tags
    https://nodejs.org/en/blog/vulnerability/december…
    https://access.redhat.com/security/cve/CVE-2025-59465 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2431349 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:2899 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:1843 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:1842 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2422 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2421 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2420 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2768 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2767 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2864 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2783 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2782 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:2781 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7386 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:7387 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6402 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:6431 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
    Affected: 22.21.1 , ≤ 22.21.1 (semver)
    Affected: 24.12.0 , ≤ 24.12.0 (semver)
    Affected: 25.2.1 , ≤ 25.2.1 (semver)
    Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59465",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:10:32.296610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:11:28.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T20:41:55.317Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets"
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-248",
                    "description": "Uncaught Exception",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:07:16.517Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
              },
              {
                "name": "RHBZ#2431349",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59465.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2899"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1843"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1842"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2422"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2421"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2420"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2768"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2767"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2864"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2783"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2782"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:2781"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7386"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:7387"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6402"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:6431"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:2899: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1843: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1842: Red Hat Enterprise Linux AppStream (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2422: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2421: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2420: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2768: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2767: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2864: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2783: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2782: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:2781: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7386: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:7387: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6402: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:6431: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-20T21:02:37.799Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T20:41:55.317Z",
                "value": "Made public."
              }
            ],
            "title": "nodejs: Nodejs denial of service",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThanOrEqual": "20.19.6",
                  "status": "affected",
                  "version": "20.19.6",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "22.21.1",
                  "status": "affected",
                  "version": "22.21.1",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "24.12.0",
                  "status": "affected",
                  "version": "24.12.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "25.2.1",
                  "status": "affected",
                  "version": "25.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n  socket.on(\u0027error\u0027, err =\u003e {\n    console.log(err)\n  })\n})\n```"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T20:41:55.317Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-59465",
        "datePublished": "2026-01-20T20:41:55.317Z",
        "dateReserved": "2025-09-16T15:00:07.875Z",
        "dateUpdated": "2026-06-30T12:07:16.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27210 (GCVE-0-2025-27210)

    Vulnerability from cvelistv5 – Published: 2025-07-18 22:54 – Updated: 2025-11-04 21:09
    VLAI
    Summary
    An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 20.0.0 , < 20.19.4 (semver)
    Affected: 22.0.0 , < 22.17.1 (semver)
    Affected: 24.0.0 , < 24.4.1 (semver)
    Create a notification for this product.
    nodejs nodejs Affected: 4.0 , < 4.* (semver)
    Affected: 5.0 , < 5.* (semver)
    Affected: 6.0 , < 6.* (semver)
    Affected: 7.0 , < 7.* (semver)
    Affected: 8.0 , < 8.* (semver)
    Affected: 9.0 , < 9.* (semver)
    Affected: 10.0 , < 10.* (semver)
    Affected: 11.0 , < 11.* (semver)
    Affected: 12.0 , < 12.* (semver)
    Affected: 13.0 , < 13.* (semver)
    Affected: 14.0 , < 14.* (semver)
    Affected: 15.0 , < 15.* (semver)
    Affected: 16.0 , < 16.* (semver)
    Affected: 17.0 , < 17.* (semver)
    Affected: 18.0 , < 18.* (semver)
    Affected: 19.0 , < 19.* (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-21T17:11:02.439546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-21T18:38:49.855Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:09:47.526Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/07/22/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThan": "20.19.4",
                  "status": "affected",
                  "version": "20.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "22.17.1",
                  "status": "affected",
                  "version": "22.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "24.4.1",
                  "status": "affected",
                  "version": "24.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "nodejs",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThan": "4.*",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.*",
                  "status": "affected",
                  "version": "5.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.*",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "8.*",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "9.*",
                  "status": "affected",
                  "version": "9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "10.*",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "11.*",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "12.*",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "13.*",
                  "status": "affected",
                  "version": "13.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "14.*",
                  "status": "affected",
                  "version": "14.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "15.*",
                  "status": "affected",
                  "version": "15.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "16.*",
                  "status": "affected",
                  "version": "16.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "17.*",
                  "status": "affected",
                  "version": "17.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "18.*",
                  "status": "affected",
                  "version": "18.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.*",
                  "status": "affected",
                  "version": "19.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. \r\n\r\nThis vulnerability affects Windows users of `path.join` API."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-18T22:54:27.227Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-27210",
        "datePublished": "2025-07-18T22:54:27.227Z",
        "dateReserved": "2025-02-20T01:00:01.798Z",
        "dateUpdated": "2025-11-04T21:09:47.526Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-27209 (GCVE-0-2025-27209)

    Vulnerability from cvelistv5 – Published: 2025-07-18 22:54 – Updated: 2025-11-04 21:09
    VLAI
    Summary
    The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    Impacted products
    Vendor Product Version
    nodejs node Affected: 24.0.0 , < 24.4.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-21T17:14:28.794403Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-407",
                    "description": "CWE-407 Inefficient Algorithmic Complexity",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-21T18:38:55.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T21:09:46.228Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/07/22/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "node",
              "vendor": "nodejs",
              "versions": [
                {
                  "lessThan": "24.4.1",
                  "status": "affected",
                  "version": "24.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-18T22:54:27.205Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2025-27209",
        "datePublished": "2025-07-18T22:54:27.205Z",
        "dateReserved": "2025-02-20T01:00:01.798Z",
        "dateUpdated": "2025-11-04T21:09:46.228Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }