Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-59464 (GCVE-0-2025-59464)
Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 20:41
VLAI
EPSS
Summary
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-21T20:40:07.879640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T20:41:09.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThan": "24.12.0",
"status": "affected",
"version": "24.12.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:41:55.599Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-59464",
"datePublished": "2026-01-20T20:41:55.599Z",
"dateReserved": "2025-09-16T15:00:07.875Z",
"dateUpdated": "2026-01-21T20:41:09.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-59464",
"date": "2026-06-28",
"epss": "0.0023",
"percentile": "0.13707"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-59464\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2026-01-20T21:16:03.900\",\"lastModified\":\"2026-06-17T09:46:12.450\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.\"},{\"lang\":\"es\",\"value\":\"Una fuga de memoria en la integraci\u00f3n de OpenSSL de Node.js ocurre al convertir campos de certificado \u0027X.509\u0027 a UTF-8 sin liberar el b\u00fafer asignado. Cuando las aplicaciones llaman a \u0027socket.getPeerCertificate(true)\u0027, cada campo de certificado fuga memoria, permitiendo a clientes remotos desencadenar un crecimiento constante de la memoria a trav\u00e9s de conexiones TLS repetidas. Con el tiempo, esto puede llevar al agotamiento de recursos y a la denegaci\u00f3n de servicio.\"}],\"affected\":[{\"source\":\"support@hackerone.com\",\"affectedData\":[{\"vendor\":\"nodejs\",\"product\":\"node\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"24.12.0\",\"lessThan\":\"24.12.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-21T20:40:07.879640Z\",\"id\":\"CVE-2025-59464\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"24.0.0\",\"versionEndExcluding\":\"24.12.0\",\"matchCriteriaId\":\"C2C21118-9E06-473D-8287-10F2181A067B\"}]}]}],\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\",\"source\":\"support@hackerone.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59464\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-21T20:40:07.879640Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-21T20:41:05.620Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"}}], \"affected\": [{\"vendor\": \"nodejs\", \"product\": \"node\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.12.0\", \"lessThan\": \"24.12.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A memory leak in Node.js\\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.\"}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2026-01-20T20:41:55.599Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-59464\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-21T20:41:09.437Z\", \"dateReserved\": \"2025-09-16T15:00:07.875Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2026-01-20T20:41:55.599Z\", \"assignerShortName\": \"hackerone\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:6402
Vulnerability from csaf_redhat - Published: 2026-04-01 16:46 - Updated: 2026-06-28 12:57Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs24:
* nodejs24-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-bin-24.14.1-4.hum1 (noarch)
* nodejs24-devel-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-docs-24.14.1-4.hum1 (noarch)
* nodejs24-full-i18n-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-libs-24.14.1-4.hum1 (aarch64, x86_64)
* nodejs24-npm-11.11.0-1.24.14.1.4.hum1 (noarch)
* nodejs24-npm-bin-24.14.1-4.hum1 (noarch)
* v8-13.6-devel-13.6.233.17-1.24.14.1.4.hum1 (aarch64, x86_64)
* nodejs24-24.14.1-4.hum1.src (source)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs24:\n * nodejs24-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-bin-24.14.1-4.hum1 (noarch)\n * nodejs24-devel-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-docs-24.14.1-4.hum1 (noarch)\n * nodejs24-full-i18n-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-libs-24.14.1-4.hum1 (aarch64, x86_64)\n * nodejs24-npm-11.11.0-1.24.14.1.4.hum1 (noarch)\n * nodejs24-npm-bin-24.14.1-4.hum1 (noarch)\n * v8-13.6-devel-13.6.233.17-1.24.14.1.4.hum1 (aarch64, x86_64)\n * nodejs24-24.14.1-4.hum1.src (source)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6402",
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6402.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-28T12:57:49+00:00",
"generator": {
"date": "2026-06-28T12:57:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.6"
}
},
"id": "RHSA-2026:6402",
"initial_release_date": "2026-04-01T16:46:17+00:00",
"revision_history": [
{
"date": "2026-04-01T16:46:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T19:57:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-28T12:57:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@aarch64",
"product": {
"name": "nodejs24-main@aarch64",
"product_id": "nodejs24-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@src",
"product": {
"name": "nodejs24-main@src",
"product_id": "nodejs24-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.hum1?arch=source\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@x86_64",
"product": {
"name": "nodejs24-main@x86_64",
"product_id": "nodejs24-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@noarch",
"product": {
"name": "nodejs24-main@noarch",
"product_id": "nodejs24-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-bin@24.14.1-4.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@aarch64"
},
"product_reference": "nodejs24-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@noarch"
},
"product_reference": "nodejs24-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@src"
},
"product_reference": "nodejs24-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@x86_64"
},
"product_reference": "nodejs24-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-01T16:46:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:6431
Vulnerability from csaf_redhat - Published: 2026-04-02 08:24 - Updated: 2026-06-28 12:57Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs25:
* nodejs25-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-bin-25.9.0-1.hum1 (noarch)
* nodejs25-devel-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-docs-25.9.0-1.hum1 (noarch)
* nodejs25-full-i18n-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-libs-25.9.0-1.hum1 (aarch64, x86_64)
* nodejs25-npm-11.12.1-1.25.9.0.1.hum1 (noarch)
* nodejs25-npm-bin-25.9.0-1.hum1 (noarch)
* v8-14.1-devel-14.1.146.11-1.25.9.0.1.hum1 (aarch64, x86_64)
* nodejs25-25.9.0-1.hum1.src (source)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs25:\n * nodejs25-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-bin-25.9.0-1.hum1 (noarch)\n * nodejs25-devel-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-docs-25.9.0-1.hum1 (noarch)\n * nodejs25-full-i18n-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-libs-25.9.0-1.hum1 (aarch64, x86_64)\n * nodejs25-npm-11.12.1-1.25.9.0.1.hum1 (noarch)\n * nodejs25-npm-bin-25.9.0-1.hum1 (noarch)\n * v8-14.1-devel-14.1.146.11-1.25.9.0.1.hum1 (aarch64, x86_64)\n * nodejs25-25.9.0-1.hum1.src (source)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6431",
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6431.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-28T12:57:53+00:00",
"generator": {
"date": "2026-06-28T12:57:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.6"
}
},
"id": "RHSA-2026:6431",
"initial_release_date": "2026-04-02T08:24:03+00:00",
"revision_history": [
{
"date": "2026-04-02T08:24:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T19:57:07+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-28T12:57:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@aarch64",
"product": {
"name": "nodejs25-main@aarch64",
"product_id": "nodejs25-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@src",
"product": {
"name": "nodejs25-main@src",
"product_id": "nodejs25-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.hum1?arch=source\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@x86_64",
"product": {
"name": "nodejs25-main@x86_64",
"product_id": "nodejs25-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@noarch",
"product": {
"name": "nodejs25-main@noarch",
"product_id": "nodejs25-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25-bin@25.9.0-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@aarch64"
},
"product_reference": "nodejs25-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@noarch"
},
"product_reference": "nodejs25-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@src"
},
"product_reference": "nodejs25-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@x86_64"
},
"product_reference": "nodejs25-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-02T08:24:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:7378
Vulnerability from csaf_redhat - Published: 2026-04-10 13:03 - Updated: 2026-06-27 23:52Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in undici. A malicious WebSocket server could exploit this vulnerability by sending fragmented messages that individually meet size limits but collectively exceed them. This can lead to unbounded memory growth in the client process, resulting in memory exhaustion and a denial of service (DoS).
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js's default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.
7.7 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs25-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
78 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7378",
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-2950",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45149",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9697",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6734",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9675",
"url": "https://access.redhat.com/security/cve/CVE-2026-9675"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9678",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48618",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48933",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48615",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7378.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-27T23:52:11+00:00",
"generator": {
"date": "2026-06-27T23:52:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.6"
}
},
"id": "RHSA-2026:7378",
"initial_release_date": "2026-04-10T13:03:00+00:00",
"revision_history": [
{
"date": "2026-04-10T13:03:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-27T00:15:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-27T23:52:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@aarch64",
"product": {
"name": "nodejs25-main@aarch64",
"product_id": "nodejs25-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@src",
"product": {
"name": "nodejs25-main@src",
"product_id": "nodejs25-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@x86_64",
"product": {
"name": "nodejs25-main@x86_64",
"product_id": "nodejs25-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25@25.9.0-1.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs25-main@noarch",
"product": {
"name": "nodejs25-main@noarch",
"product_id": "nodejs25-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs25-bin@25.9.0-1.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@aarch64"
},
"product_reference": "nodejs25-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@noarch"
},
"product_reference": "nodejs25-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@src"
},
"product_reference": "nodejs25-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs25-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs25-main@x86_64"
},
"product_reference": "nodejs25-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2026-2950",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-03-31T20:01:38.424064+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453499"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "RHBZ#2453499",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453499"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-03-31T19:18:35.796000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass"
},
{
"cve": "CVE-2026-6734",
"cwe": {
"id": "CWE-940",
"name": "Improper Verification of Source of a Communication Channel"
},
"discovery_date": "2026-06-17T19:04:00.272340+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490024"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated as an Important security flaw. The `undici` library, when configured with `Socks5ProxyAgent` to handle requests for multiple origins, incorrectly reuses connection pools. This can lead to sensitive data and credentials being misrouted to unintended destinations, potentially downgrading HTTPS connections to HTTP and compromising data integrity and confidentiality. Red Hat products utilizing `undici` with `Socks5ProxyAgent` in multi-origin scenarios are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"category": "external",
"summary": "RHBZ#2490024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490024"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj"
}
],
"release_date": "2026-06-17T16:36:55.439000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "The single most impactful mitigation is applying network egress controls to restrict which external destinations affected applications can reach. Because the vulnerability causes requests to be misrouted to wrong origins, limiting the set of reachable origins directly reduces the attack surface. These controls collectively limit the blast radius of the connection pool misrouting \u2014 the attacker must compromise one of the explicitly allowed destinations rather than any arbitrary origin \u2014 but they do not fix the underlying logic bug.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing"
},
{
"cve": "CVE-2026-9675",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2026-06-17T17:01:41.811903+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489979"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. A malicious WebSocket server could exploit this vulnerability by sending fragmented messages that individually meet size limits but collectively exceed them. This can lead to unbounded memory growth in the client process, resulting in memory exhaustion and a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici WebSocket client vulnerable to denial of service via cumulative fragment bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated Moderate by Red Hat (CVSS 5.9) because successful exploitation requires the undici WebSocket client to connect to an attacker-controlled server (AC:H), which is unlikely in typical Red Hat product deployments where WebSocket endpoints are trusted internal services. No Red Hat product is affected \u2014 all streams shipping undici bundle versions 5.x through 7.x, which are outside the vulnerable range of 8.0.0 to 8.4.x. The vulnerable code path (unbounded WebSocket frame accumulation) was introduced in undici 8.0.0 and is not present in earlier major versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9675"
},
{
"category": "external",
"summary": "RHBZ#2489979",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489979"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9675",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9675"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9675",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9675"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq"
}
],
"release_date": "2026-06-17T16:20:32.548000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Red Hat products that bundle the undici HTTP client ship versions 5.x, 6.x, and 7.x, which do not contain the vulnerable WebSocket frame accumulation code path introduced in undici 8.0.0. No Red Hat product streams are affected by this vulnerability. Users who have manually installed undici 8.x outside of Red Hat-provided packages should upgrade to undici 8.5.0 or later to fully resolve this issue.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undici: undici WebSocket client vulnerable to denial of service via cumulative fragment bypass"
},
{
"cve": "CVE-2026-9678",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-06-17T19:01:33.359372+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490000"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: Undici: Information disclosure due to improper cache-control header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate information disclosure flaw in Undici\u0027s cache interceptor, when configured in shared-cache mode, allows an unauthenticated attacker to retrieve sensitive authenticated user data. This is due to incorrect parsing of Cache-Control headers containing whitespace-padded field names, leading to cached responses being served improperly. Red Hat products are affected if they explicitly enable shared-cache mode, forward Authorization headers, and process non-canonical Cache-Control directives.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "RHBZ#2490000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9678",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9678"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"
}
],
"release_date": "2026-06-17T17:04:09.680000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undici: Undici: Information disclosure due to improper cache-control header parsing"
},
{
"cve": "CVE-2026-9697",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-17T19:03:30.813843+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490018"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When undici\u0027s ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js\u0027s default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important vulnerability. Applications using `undici`\u0027s `ProxyAgent` with a SOCKS5 proxy URI will silently ignore user-configured TLS options, including custom Certificate Authorities. This bypasses intended security controls for HTTPS communication, enabling a remote attacker to perform Man-in-the-Middle attacks, potentially leading to information disclosure or arbitrary code execution in affected Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"category": "external",
"summary": "RHBZ#2490018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9697",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9697"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g"
}
],
"release_date": "2026-06-17T16:46:42.706000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy"
},
{
"cve": "CVE-2026-45149",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-29T21:02:00.092772+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2483481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "external",
"summary": "RHBZ#2483481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45149",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149"
},
{
"category": "external",
"summary": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2",
"url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
}
],
"release_date": "2026-05-29T19:55:07.337000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges"
},
{
"cve": "CVE-2026-48615",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-06-26T02:01:59.112093+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"category": "external",
"summary": "RHBZ#2493335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48615",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48615"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.524000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling"
},
{
"cve": "CVE-2026-48618",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:02:10.741725+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493337"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromise of sensitive information in applications utilizing Node.js for TLS connections. The issue affects Node.js versions 22, 24, and 26 as shipped in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "RHBZ#2493337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48618"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.868000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch"
},
{
"cve": "CVE-2026-48933",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:39.107538+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493331"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Node.js WebCrypto, as a remote attacker can crash the Node.js process by providing a specially crafted large input to the `subtle.encrypt()` function. This could lead to service unavailability in Red Hat environments where Node.js applications process untrusted data with WebCrypto.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "RHBZ#2493331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48933"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.823000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T13:03:00+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs25-main@aarch64",
"Red Hat Hardened Images:nodejs25-main@noarch",
"Red Hat Hardened Images:nodejs25-main@src",
"Red Hat Hardened Images:nodejs25-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()"
}
]
}
RHSA-2026:7386
Vulnerability from csaf_redhat - Published: 2026-04-10 14:47 - Updated: 2026-06-28 12:55Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs20:
* nodejs20-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-bin-20.20.0-7.1.hum1 (noarch)
* nodejs20-devel-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-docs-20.20.0-7.1.hum1 (noarch)
* nodejs20-full-i18n-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-libs-20.20.0-7.1.hum1 (aarch64, x86_64)
* nodejs20-npm-10.8.2-1.20.20.0.7.1.hum1 (noarch)
* nodejs20-npm-bin-20.20.0-7.1.hum1 (noarch)
* v8-11.3-devel-11.3.244.8-1.20.20.0.7.1.hum1 (aarch64, x86_64)
* nodejs20-20.20.0-7.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs20-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs20:\n * nodejs20-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-bin-20.20.0-7.1.hum1 (noarch)\n * nodejs20-devel-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-docs-20.20.0-7.1.hum1 (noarch)\n * nodejs20-full-i18n-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-libs-20.20.0-7.1.hum1 (aarch64, x86_64)\n * nodejs20-npm-10.8.2-1.20.20.0.7.1.hum1 (noarch)\n * nodejs20-npm-bin-20.20.0-7.1.hum1 (noarch)\n * v8-11.3-devel-11.3.244.8-1.20.20.0.7.1.hum1 (aarch64, x86_64)\n * nodejs20-20.20.0-7.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7386",
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7386.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-28T12:55:57+00:00",
"generator": {
"date": "2026-06-28T12:55:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.6"
}
},
"id": "RHSA-2026:7386",
"initial_release_date": "2026-04-10T14:47:42+00:00",
"revision_history": [
{
"date": "2026-04-10T14:47:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-20T11:28:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-28T12:55:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@aarch64",
"product": {
"name": "nodejs20-main@aarch64",
"product_id": "nodejs20-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.0-7.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@src",
"product": {
"name": "nodejs20-main@src",
"product_id": "nodejs20-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.0-7.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@x86_64",
"product": {
"name": "nodejs20-main@x86_64",
"product_id": "nodejs20-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20@20.20.0-7.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs20-main@noarch",
"product": {
"name": "nodejs20-main@noarch",
"product_id": "nodejs20-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs20-bin@20.20.0-7.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@aarch64"
},
"product_reference": "nodejs20-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@noarch"
},
"product_reference": "nodejs20-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@src"
},
"product_reference": "nodejs20-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs20-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs20-main@x86_64"
},
"product_reference": "nodejs20-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T14:47:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs20-main@aarch64",
"Red Hat Hardened Images:nodejs20-main@noarch",
"Red Hat Hardened Images:nodejs20-main@src",
"Red Hat Hardened Images:nodejs20-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:7387
Vulnerability from csaf_redhat - Published: 2026-04-10 16:03 - Updated: 2026-06-28 12:57Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs22:
* nodejs22-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-bin-22.22.0-1.3.hum1 (noarch)
* nodejs22-devel-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-docs-22.22.0-1.3.hum1 (noarch)
* nodejs22-full-i18n-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-libs-22.22.0-1.3.hum1 (aarch64, x86_64)
* nodejs22-npm-10.9.4-1.22.22.0.1.3.hum1 (noarch)
* nodejs22-npm-bin-22.22.0-1.3.hum1 (noarch)
* v8-12.4-devel-12.4.254.21-1.22.22.0.1.3.hum1 (aarch64, x86_64)
* nodejs22-22.22.0-1.3.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
5.8 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.
CWE-279 - Incorrect Execution-Assigned PermissionsAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.
5.9 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
57 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs22:\n * nodejs22-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-bin-22.22.0-1.3.hum1 (noarch)\n * nodejs22-devel-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-docs-22.22.0-1.3.hum1 (noarch)\n * nodejs22-full-i18n-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-libs-22.22.0-1.3.hum1 (aarch64, x86_64)\n * nodejs22-npm-10.9.4-1.22.22.0.1.3.hum1 (noarch)\n * nodejs22-npm-bin-22.22.0-1.3.hum1 (noarch)\n * v8-12.4-devel-12.4.254.21-1.22.22.0.1.3.hum1 (aarch64, x86_64)\n * nodejs22-22.22.0-1.3.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7387",
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21637",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21636",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59466",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59465",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21717",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-21716",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45149",
"url": "https://access.redhat.com/security/cve/CVE-2026-45149"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7387.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-28T12:57:55+00:00",
"generator": {
"date": "2026-06-28T12:57:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.6"
}
},
"id": "RHSA-2026:7387",
"initial_release_date": "2026-04-10T16:03:53+00:00",
"revision_history": [
{
"date": "2026-04-10T16:03:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-08T14:09:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-28T12:57:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@aarch64",
"product": {
"name": "nodejs22-main@aarch64",
"product_id": "nodejs22-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22@22.22.0-1.3.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@src",
"product": {
"name": "nodejs22-main@src",
"product_id": "nodejs22-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22@22.22.0-1.3.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@x86_64",
"product": {
"name": "nodejs22-main@x86_64",
"product_id": "nodejs22-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22@22.22.0-1.3.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-main@noarch",
"product": {
"name": "nodejs22-main@noarch",
"product_id": "nodejs22-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs22-bin@22.22.0-1.3.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@aarch64"
},
"product_reference": "nodejs22-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@noarch"
},
"product_reference": "nodejs22-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@src"
},
"product_reference": "nodejs22-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs22-main@x86_64"
},
"product_reference": "nodejs22-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
},
{
"cve": "CVE-2025-59465",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:02:37.799525+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431349"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in NodeJS. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "RHBZ#2431349",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2025-59466",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:46.025710+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431343"
}
],
"notes": [
{
"category": "description",
"text": "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "RHBZ#2431343",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431343"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.628000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21636",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:41.174266+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u0027s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs network segmentation bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21636"
},
{
"category": "external",
"summary": "RHBZ#2431342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21636",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21636"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.700000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs network segmentation bypass"
},
{
"cve": "CVE-2026-21637",
"cwe": {
"id": "CWE-248",
"name": "Uncaught Exception"
},
"discovery_date": "2026-01-20T21:01:26.738343+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Systems configured according to Red Hat guidelines should have their services set to restart in the event of a process crash. This Host system service management mitigates the availability impact to Red Hat customers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "RHBZ#2431340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.352000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs denial of service"
},
{
"cve": "CVE-2026-21716",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-03-30T20:01:51.136802+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "RHBZ#2453157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.538000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix."
},
{
"cve": "CVE-2026-21717",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2026-03-30T20:02:10.986695+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453162"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in V8\u0027s string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8\u0027s internal string table, particularly when processed by functions like JSON.parse() on attacker-controlled input. This can significantly degrade the performance of the Node.js process, leading to a Denial of Service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "RHBZ#2453162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453162"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-21717",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21717"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"release_date": "2026-03-30T19:07:28.415000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-10T16:03:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs22-main@aarch64",
"Red Hat Hardened Images:nodejs22-main@noarch",
"Red Hat Hardened Images:nodejs22-main@src",
"Red Hat Hardened Images:nodejs22-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions"
}
]
}
RHSA-2026:7657
Vulnerability from csaf_redhat - Published: 2026-04-11 01:51 - Updated: 2026-06-28 12:58Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
nodejs24:
* nodejs24-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-bin-24.14.1-4.1.hum1 (noarch)
* nodejs24-devel-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-docs-24.14.1-4.1.hum1 (noarch)
* nodejs24-full-i18n-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-libs-24.14.1-4.1.hum1 (aarch64, x86_64)
* nodejs24-npm-11.11.0-1.24.14.1.4.1.hum1 (noarch)
* nodejs24-npm-bin-24.14.1-4.1.hum1 (noarch)
* v8-13.6-devel-13.6.233.17-1.24.14.1.4.1.hum1 (aarch64, x86_64)
* nodejs24-24.14.1-4.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.
7.1 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
5.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
6.5 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs24-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs24:\n * nodejs24-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-bin-24.14.1-4.1.hum1 (noarch)\n * nodejs24-devel-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-docs-24.14.1-4.1.hum1 (noarch)\n * nodejs24-full-i18n-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-libs-24.14.1-4.1.hum1 (aarch64, x86_64)\n * nodejs24-npm-11.11.0-1.24.14.1.4.1.hum1 (noarch)\n * nodejs24-npm-bin-24.14.1-4.1.hum1 (noarch)\n * v8-13.6-devel-13.6.233.17-1.24.14.1.4.1.hum1 (aarch64, x86_64)\n * nodejs24-24.14.1-4.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7657",
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-59464",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55132",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55131",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-55130",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7657.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-28T12:58:00+00:00",
"generator": {
"date": "2026-06-28T12:58:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.6"
}
},
"id": "RHSA-2026:7657",
"initial_release_date": "2026-04-11T01:51:42+00:00",
"revision_history": [
{
"date": "2026-04-11T01:51:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-20T11:28:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-28T12:58:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@aarch64",
"product": {
"name": "nodejs24-main@aarch64",
"product_id": "nodejs24-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@src",
"product": {
"name": "nodejs24-main@src",
"product_id": "nodejs24-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@x86_64",
"product": {
"name": "nodejs24-main@x86_64",
"product_id": "nodejs24-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.14.1-4.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-main@noarch",
"product": {
"name": "nodejs24-main@noarch",
"product_id": "nodejs24-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-bin@24.14.1-4.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@aarch64"
},
"product_reference": "nodejs24-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@noarch"
},
"product_reference": "nodejs24-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@src"
},
"product_reference": "nodejs24-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs24-main@x86_64"
},
"product_reference": "nodejs24-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:03:01.083023+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431352"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs file permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "RHBZ#2431352",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55130",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.393000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs file permissions bypass"
},
{
"cve": "CVE-2025-55131",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"discovery_date": "2026-01-20T21:02:45.759578+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431350"
}
],
"notes": [
{
"category": "description",
"text": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs uninitialized memory exposure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "RHBZ#2431350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.591000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Nodejs uninitialized memory exposure"
},
{
"cve": "CVE-2025-55132",
"cwe": {
"id": "CWE-281",
"name": "Improper Preservation of Permissions"
},
"discovery_date": "2026-01-20T21:01:12.192484+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431338"
}
],
"notes": [
{
"category": "description",
"text": "A file access flaw has been discovered in NodeJS. A file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs filesystem permissions bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "RHBZ#2431338",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55132",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55132"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.620000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs filesystem permissions bypass"
},
{
"cve": "CVE-2025-59464",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-20T21:01:52.581156+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2431344"
}
],
"notes": [
{
"category": "description",
"text": "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js\u2019s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Nodejs memory leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "RHBZ#2431344",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-59464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59464"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"release_date": "2026-01-20T20:41:55.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-11T01:51:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7657"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs24-main@aarch64",
"Red Hat Hardened Images:nodejs24-main@noarch",
"Red Hat Hardened Images:nodejs24-main@src",
"Red Hat Hardened Images:nodejs24-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Nodejs memory leak"
}
]
}
SUSE-SU-2026:1299-1
Vulnerability from csaf_suse - Published: 2026-04-13 15:54 - Updated: 2026-04-13 15:54Summary
Security update for nodejs24
Severity
Important
Notes
Title of the patch: Security update for nodejs24
Description of the patch: This update for nodejs24 fixes the following issues:
- Update to 24.14.1
- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
- CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455).
- CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460).
- CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463).
- CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480).
- CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482).
- CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462).
- CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494).
Patchnames: SUSE-2026-1299,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.6 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
4.4 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
40 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs24",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs24 fixes the following issues:\n\n- Update to 24.14.1\n- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).\n- CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455).\n- CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460).\n- CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463).\n- CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480).\n- CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482).\n- CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462).\n- CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1299,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1299-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1299-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261299-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1299-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045503.html"
},
{
"category": "self",
"summary": "SUSE Bug 1256572",
"url": "https://bugzilla.suse.com/1256572"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1260455",
"url": "https://bugzilla.suse.com/1260455"
},
{
"category": "self",
"summary": "SUSE Bug 1260460",
"url": "https://bugzilla.suse.com/1260460"
},
{
"category": "self",
"summary": "SUSE Bug 1260462",
"url": "https://bugzilla.suse.com/1260462"
},
{
"category": "self",
"summary": "SUSE Bug 1260463",
"url": "https://bugzilla.suse.com/1260463"
},
{
"category": "self",
"summary": "SUSE Bug 1260480",
"url": "https://bugzilla.suse.com/1260480"
},
{
"category": "self",
"summary": "SUSE Bug 1260482",
"url": "https://bugzilla.suse.com/1260482"
},
{
"category": "self",
"summary": "SUSE Bug 1260494",
"url": "https://bugzilla.suse.com/1260494"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59464 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59464/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21710 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21710/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21712 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21712/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21713 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21713/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21714 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21714/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21715 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21715/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21716 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21716/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21717 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21717/"
}
],
"title": "Security update for nodejs24",
"tracking": {
"current_release_date": "2026-04-13T15:54:45Z",
"generator": {
"date": "2026-04-13T15:54:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1299-1",
"initial_release_date": "2026-04-13T15:54:45Z",
"revision_history": [
{
"date": "2026-04-13T15:54:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.aarch64",
"product_id": "corepack24-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"product_id": "nodejs24-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.aarch64",
"product_id": "npm24-24.14.1-150700.15.8.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.i586",
"product_id": "corepack24-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.i586",
"product_id": "nodejs24-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.i586",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.i586",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.i586",
"product_id": "npm24-24.14.1-150700.15.8.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"product": {
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"product_id": "nodejs24-docs-24.14.1-150700.15.8.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "corepack24-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "nodejs24-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "npm24-24.14.1-150700.15.8.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.s390x",
"product_id": "corepack24-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.s390x",
"product_id": "nodejs24-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.s390x",
"product_id": "npm24-24.14.1-150700.15.8.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.x86_64",
"product_id": "corepack24-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"product_id": "nodejs24-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.x86_64",
"product_id": "npm24-24.14.1-150700.15.8.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59464",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59464"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak in Node.js\u0027s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59464",
"url": "https://www.suse.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "SUSE Bug 1256572 for CVE-2025-59464",
"url": "https://bugzilla.suse.com/1256572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-21710",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21710"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21710",
"url": "https://www.suse.com/security/cve/CVE-2026-21710"
},
{
"category": "external",
"summary": "SUSE Bug 1260455 for CVE-2026-21710",
"url": "https://bugzilla.suse.com/1260455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "important"
}
],
"title": "CVE-2026-21710"
},
{
"cve": "CVE-2026-21712",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21712"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21712",
"url": "https://www.suse.com/security/cve/CVE-2026-21712"
},
{
"category": "external",
"summary": "SUSE Bug 1260460 for CVE-2026-21712",
"url": "https://bugzilla.suse.com/1260460"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21712"
},
{
"cve": "CVE-2026-21713",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21713"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21713",
"url": "https://www.suse.com/security/cve/CVE-2026-21713"
},
{
"category": "external",
"summary": "SUSE Bug 1260463 for CVE-2026-21713",
"url": "https://bugzilla.suse.com/1260463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21713"
},
{
"cve": "CVE-2026-21714",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21714"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21714",
"url": "https://www.suse.com/security/cve/CVE-2026-21714"
},
{
"category": "external",
"summary": "SUSE Bug 1260480 for CVE-2026-21714",
"url": "https://bugzilla.suse.com/1260480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21714"
},
{
"cve": "CVE-2026-21715",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21715"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21715",
"url": "https://www.suse.com/security/cve/CVE-2026-21715"
},
{
"category": "external",
"summary": "SUSE Bug 1260482 for CVE-2026-21715",
"url": "https://bugzilla.suse.com/1260482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "low"
}
],
"title": "CVE-2026-21715"
},
{
"cve": "CVE-2026-21716",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21716"
}
],
"notes": [
{
"category": "general",
"text": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21716",
"url": "https://www.suse.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "SUSE Bug 1260462 for CVE-2026-21716",
"url": "https://bugzilla.suse.com/1260462"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21716"
},
{
"cve": "CVE-2026-21717",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21717"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21717",
"url": "https://www.suse.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "SUSE Bug 1260494 for CVE-2026-21717",
"url": "https://bugzilla.suse.com/1260494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21717"
}
]
}
SUSE-SU-2026:21181-1
Vulnerability from csaf_suse - Published: 2026-04-13 10:59 - Updated: 2026-04-13 10:59Summary
Security update for nodejs24
Severity
Important
Notes
Title of the patch: Security update for nodejs24
Description of the patch: This update for nodejs24 fixes the following issues:
Update to version 24.14.1.
Security issues fixed:
- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for
performance degradation via a crafted request (bsc#1260494).
- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file
permissions and ownership on already-open file descriptors (bsc#1260462).
- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and
filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).
- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent
on stream 0 (bsc#1260480).
- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and
potential MAC forgery (bsc#1260463).
- CVE-2026-21712: assertion error caused by flaw in URL processing allows for a process crash via a URL with a
malformed IDN (bsc#1260460).
- CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a
header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).
- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or
`ALPNCallback` are in use (bsc#1256576).
- CVE-2025-59464: memory leak allows for remote denial of service against applications processing TLS client
certificates (bsc#1256572).
Other updates and bugfixes:
- Version 24.14.0:
* async_hooks: add trackPromises option to createHook()
* build,deps: replace cjs-module-lexer with merve
* deps: add LIEF as a dependency
* events: repurpose events.listenerCount() to accept EventTargets
* fs: add ignore option to fs.watch
* http: add http.setGlobalProxyFromEnv()
* module: allow subpath imports that start with #/
* process: preserve AsyncLocalStorage in queueMicrotask only when needed
* sea: split sea binary manipulation code
* sqlite: enable defensive mode by default
* sqlite: add sqlite prepare options args
* src: add initial support for ESM in embedder API
* stream: add bytes() method to node:stream/consumers
* stream: do not pass readable.compose() output via Readable.from()
* test: use fixture directories for sea tests
* test_runner: add env option to run function
* test_runner: support expecting a test-case to fail
* util: add convertProcessSignalToExitCode utility
* For details, see https://nodejs.org/en/blog/release/v24.14.0
Patchnames: SUSE-SLES-16.0-541
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.6 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
4.4 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
34 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
40 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs24",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs24 fixes the following issues:\n\nUpdate to version 24.14.1.\n\nSecurity issues fixed:\n\n- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8\u0027s string hashing mechanism allows for\n performance degradation via a crafted request (bsc#1260494).\n- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file\n permissions and ownership on already-open file descriptors (bsc#1260462).\n- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and\n filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).\n- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent\n on stream 0 (bsc#1260480).\n- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and\n potential MAC forgery (bsc#1260463).\n- CVE-2026-21712: assertion error caused by flaw in URL processing allows for a process crash via a URL with a\n malformed IDN (bsc#1260460).\n- CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a\n header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).\n- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or\n `ALPNCallback` are in use (bsc#1256576).\n- CVE-2025-59464: memory leak allows for remote denial of service against applications processing TLS client\n certificates (bsc#1256572).\n\nOther updates and bugfixes:\n\n- Version 24.14.0:\n * async_hooks: add trackPromises option to createHook()\n * build,deps: replace cjs-module-lexer with merve\n * deps: add LIEF as a dependency\n * events: repurpose events.listenerCount() to accept EventTargets\n * fs: add ignore option to fs.watch\n * http: add http.setGlobalProxyFromEnv()\n * module: allow subpath imports that start with #/\n * process: preserve AsyncLocalStorage in queueMicrotask only when needed\n * sea: split sea binary manipulation code\n * sqlite: enable defensive mode by default\n * sqlite: add sqlite prepare options args\n * src: add initial support for ESM in embedder API\n * stream: add bytes() method to node:stream/consumers\n * stream: do not pass readable.compose() output via Readable.from()\n * test: use fixture directories for sea tests\n * test_runner: add env option to run function\n * test_runner: support expecting a test-case to fail\n * util: add convertProcessSignalToExitCode utility\n * For details, see https://nodejs.org/en/blog/release/v24.14.0\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-541",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21181-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21181-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621181-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21181-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025537.html"
},
{
"category": "self",
"summary": "SUSE Bug 1256572",
"url": "https://bugzilla.suse.com/1256572"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1260455",
"url": "https://bugzilla.suse.com/1260455"
},
{
"category": "self",
"summary": "SUSE Bug 1260460",
"url": "https://bugzilla.suse.com/1260460"
},
{
"category": "self",
"summary": "SUSE Bug 1260462",
"url": "https://bugzilla.suse.com/1260462"
},
{
"category": "self",
"summary": "SUSE Bug 1260463",
"url": "https://bugzilla.suse.com/1260463"
},
{
"category": "self",
"summary": "SUSE Bug 1260480",
"url": "https://bugzilla.suse.com/1260480"
},
{
"category": "self",
"summary": "SUSE Bug 1260482",
"url": "https://bugzilla.suse.com/1260482"
},
{
"category": "self",
"summary": "SUSE Bug 1260494",
"url": "https://bugzilla.suse.com/1260494"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59464 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59464/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21710 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21710/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21712 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21712/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21713 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21713/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21714 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21714/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21715 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21715/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21716 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21716/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21717 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21717/"
}
],
"title": "Security update for nodejs24",
"tracking": {
"current_release_date": "2026-04-13T10:59:52Z",
"generator": {
"date": "2026-04-13T10:59:52Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21181-1",
"initial_release_date": "2026-04-13T10:59:52Z",
"revision_history": [
{
"date": "2026-04-13T10:59:52Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.aarch64",
"product": {
"name": "corepack24-24.14.1-160000.1.1.aarch64",
"product_id": "corepack24-24.14.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.aarch64",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.aarch64",
"product_id": "nodejs24-24.14.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.aarch64",
"product": {
"name": "npm24-24.14.1-160000.1.1.aarch64",
"product_id": "npm24-24.14.1-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"product": {
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"product_id": "nodejs24-docs-24.14.1-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "corepack24-24.14.1-160000.1.1.ppc64le",
"product_id": "corepack24-24.14.1-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.ppc64le",
"product_id": "nodejs24-24.14.1-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.ppc64le",
"product": {
"name": "npm24-24.14.1-160000.1.1.ppc64le",
"product_id": "npm24-24.14.1-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.s390x",
"product": {
"name": "corepack24-24.14.1-160000.1.1.s390x",
"product_id": "corepack24-24.14.1-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.s390x",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.s390x",
"product_id": "nodejs24-24.14.1-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.s390x",
"product": {
"name": "npm24-24.14.1-160000.1.1.s390x",
"product_id": "npm24-24.14.1-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-160000.1.1.x86_64",
"product": {
"name": "corepack24-24.14.1-160000.1.1.x86_64",
"product_id": "corepack24-24.14.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-160000.1.1.x86_64",
"product": {
"name": "nodejs24-24.14.1-160000.1.1.x86_64",
"product_id": "nodejs24-24.14.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"product": {
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"product_id": "nodejs24-devel-24.14.1-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-160000.1.1.x86_64",
"product": {
"name": "npm24-24.14.1-160000.1.1.x86_64",
"product_id": "npm24-24.14.1-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "corepack24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x"
},
"product_reference": "corepack24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "npm24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "npm24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x"
},
"product_reference": "npm24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "npm24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "corepack24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x"
},
"product_reference": "corepack24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "corepack24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64"
},
"product_reference": "npm24-24.14.1-160000.1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le"
},
"product_reference": "npm24-24.14.1-160000.1.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x"
},
"product_reference": "npm24-24.14.1-160000.1.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
},
"product_reference": "npm24-24.14.1-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59464",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59464"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak in Node.js\u0027s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59464",
"url": "https://www.suse.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "SUSE Bug 1256572 for CVE-2025-59464",
"url": "https://bugzilla.suse.com/1256572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-21710",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21710"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21710",
"url": "https://www.suse.com/security/cve/CVE-2026-21710"
},
{
"category": "external",
"summary": "SUSE Bug 1260455 for CVE-2026-21710",
"url": "https://bugzilla.suse.com/1260455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "important"
}
],
"title": "CVE-2026-21710"
},
{
"cve": "CVE-2026-21712",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21712"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21712",
"url": "https://www.suse.com/security/cve/CVE-2026-21712"
},
{
"category": "external",
"summary": "SUSE Bug 1260460 for CVE-2026-21712",
"url": "https://bugzilla.suse.com/1260460"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21712"
},
{
"cve": "CVE-2026-21713",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21713"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21713",
"url": "https://www.suse.com/security/cve/CVE-2026-21713"
},
{
"category": "external",
"summary": "SUSE Bug 1260463 for CVE-2026-21713",
"url": "https://bugzilla.suse.com/1260463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21713"
},
{
"cve": "CVE-2026-21714",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21714"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21714",
"url": "https://www.suse.com/security/cve/CVE-2026-21714"
},
{
"category": "external",
"summary": "SUSE Bug 1260480 for CVE-2026-21714",
"url": "https://bugzilla.suse.com/1260480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21714"
},
{
"cve": "CVE-2026-21715",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21715"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21715",
"url": "https://www.suse.com/security/cve/CVE-2026-21715"
},
{
"category": "external",
"summary": "SUSE Bug 1260482 for CVE-2026-21715",
"url": "https://bugzilla.suse.com/1260482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "low"
}
],
"title": "CVE-2026-21715"
},
{
"cve": "CVE-2026-21716",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21716"
}
],
"notes": [
{
"category": "general",
"text": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21716",
"url": "https://www.suse.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "SUSE Bug 1260462 for CVE-2026-21716",
"url": "https://bugzilla.suse.com/1260462"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21716"
},
{
"cve": "CVE-2026-21717",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21717"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21717",
"url": "https://www.suse.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "SUSE Bug 1260494 for CVE-2026-21717",
"url": "https://bugzilla.suse.com/1260494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server 16.0:npm24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:corepack24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-devel-24.14.1-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:nodejs24-docs-24.14.1-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:npm24-24.14.1-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T10:59:52Z",
"details": "moderate"
}
],
"title": "CVE-2026-21717"
}
]
}
WID-SEC-W-2026-0098
Vulnerability from csaf_certbund - Published: 2026-01-13 23:00 - Updated: 2026-05-25 22:00Summary
Node.js: Mehrere Schwachstellen
Severity
Kritisch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um beliebigen Code auszuführen, erweiterte Berechtigungen zu erlangen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Node.js <24.13.0
Open Source / Node.js
|
<24.13.0 | ||
|
Open Source Node.js <22.22.0
Open Source / Node.js
|
<22.22.0 | ||
|
Open Source Node.js <20.20.0
Open Source / Node.js
|
<20.20.0 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Open Source Node.js <25.3.0
Open Source / Node.js
|
<25.3.0 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
HCL BigFix WebUI
HCL / BigFix
|
cpe:/a:hcltech:bigfix:webui
|
WebUI | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— |
References
55 references
{
"document": {
"aggregate_severity": {
"text": "kritisch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Node.js ist eine Plattform zur Entwicklung von Netzwerkanwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Node.js ausnutzen, um beliebigen Code auszuf\u00fchren, erweiterte Berechtigungen zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0098 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0098.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0098 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0098"
},
{
"category": "external",
"summary": "NodeJS Security Release vom 2026-01-13",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0295-1 vom 2026-01-26",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNEEHSNPEIHXCGDJ2EAF4CD5OEXEYCQU/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0301-1 vom 2026-01-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023926.html"
},
{
"category": "external",
"summary": "Exploit CVE-2025-55130 vom 2026-02-01",
"url": "https://github.com/scumfrog/CVE-2025-55130"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-1843 vom 2026-02-05",
"url": "https://linux.oracle.com/errata/ELSA-2026-1843.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-1842 vom 2026-02-05",
"url": "https://linux.oracle.com/errata/ELSA-2026-1842.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:1843 vom 2026-02-05",
"url": "https://access.redhat.com/errata/RHSA-2026:1843"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:1842 vom 2026-02-05",
"url": "https://access.redhat.com/errata/RHSA-2026:1842"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:1842 vom 2026-02-06",
"url": "https://errata.build.resf.org/RLSA-2026:1842"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:1843 vom 2026-02-06",
"url": "https://errata.build.resf.org/RLSA-2026:1843"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2422 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2422"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2420 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2420"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2420 vom 2026-02-11",
"url": "https://errata.build.resf.org/RLSA-2026:2420"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2421 vom 2026-02-11",
"url": "https://errata.build.resf.org/RLSA-2026:2421"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2422 vom 2026-02-11",
"url": "https://errata.build.resf.org/RLSA-2026:2422"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2420 vom 2026-02-11",
"url": "https://linux.oracle.com/errata/ELSA-2026-2420.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2421 vom 2026-02-10",
"url": "https://access.redhat.com/errata/RHSA-2026:2421"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0435-1 vom 2026-02-11",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024113.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2422 vom 2026-02-12",
"url": "https://linux.oracle.com/errata/ELSA-2026-2422.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0457-1 vom 2026-02-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024134.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2421 vom 2026-02-13",
"url": "https://linux.oracle.com/errata/ELSA-2026-2421.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2768 vom 2026-02-17",
"url": "https://access.redhat.com/errata/RHSA-2026:2768"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2781 vom 2026-02-17",
"url": "https://access.redhat.com/errata/RHSA-2026:2781"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2783 vom 2026-02-17",
"url": "https://access.redhat.com/errata/RHSA-2026:2783"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2864 vom 2026-02-18",
"url": "https://access.redhat.com/errata/RHSA-2026:2864"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2782 vom 2026-02-17",
"url": "https://access.redhat.com/errata/RHSA-2026:2782"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20236-1 vom 2026-02-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PPFWQGSOVXSXMNNFQNXJO62PEHEBHY2Z/"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2781 vom 2026-02-17",
"url": "https://linux.oracle.com/errata/ELSA-2026-2781.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:2899 vom 2026-02-18",
"url": "https://access.redhat.com/errata/RHSA-2026:2899"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2782 vom 2026-02-18",
"url": "https://errata.build.resf.org/RLSA-2026:2782"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2781 vom 2026-02-18",
"url": "https://errata.build.resf.org/RLSA-2026:2781"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:2783 vom 2026-02-18",
"url": "https://errata.build.resf.org/RLSA-2026:2783"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2782 vom 2026-02-19",
"url": "https://linux.oracle.com/errata/ELSA-2026-2782.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20436-1 vom 2026-02-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024339.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-2783 vom 2026-02-19",
"url": "https://linux.oracle.com/errata/ELSA-2026-2783.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6166 vom 2026-03-17",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00075.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6183 vom 2026-03-29",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00092.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:7670 vom 2026-04-13",
"url": "https://access.redhat.com/errata/RHSA-2026:7670"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:7670 vom 2026-04-13",
"url": "https://errata.build.resf.org/RLSA-2026:7670"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1299-1 vom 2026-04-13",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025315.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-7675 vom 2026-04-13",
"url": "https://linux.oracle.com/errata/ELSA-2026-7675.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-7670 vom 2026-04-14",
"url": "https://linux.oracle.com/errata/ELSA-2026-7670.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1363-1 vom 2026-04-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025357.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2026:7675 vom 2026-04-15",
"url": "https://errata.build.resf.org/RLSA-2026:7675"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1371-1 vom 2026-04-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025349.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1478-1 vom 2026-04-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025465.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:1509-1 vom 2026-04-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025509.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:21181-1 vom 2026-04-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025537.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20519-1 vom 2026-04-21",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DEWSWDYUVHXHGYX7GDASLURQNA7TBIAA/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:7378 vom 2026-05-04",
"url": "https://access.redhat.com/errata/RHSA-2026:7378"
},
{
"category": "external",
"summary": "HCL Security Bulletin",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130587"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6272 vom 2026-05-15",
"url": "https://lists.debian.org/debian-security-announce/2026/msg00183.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4598 vom 2026-05-24",
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00043.html"
}
],
"source_lang": "en-US",
"title": "Node.js: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-05-25T22:00:00.000+00:00",
"generator": {
"date": "2026-05-26T11:50:51.166+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-0098",
"initial_release_date": "2026-01-13T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-13T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-01-20T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2026-3331, EUVD-2026-3327, EUVD-2026-3325, EUVD-2026-3323, EUVD-2026-3340, EUVD-2026-3339, EUVD-2026-3338"
},
{
"date": "2026-01-21T23:00:00.000+00:00",
"number": "3",
"summary": "Referenz(en) aufgenommen: EUVD-2026-3334"
},
{
"date": "2026-01-26T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-01-27T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-01T23:00:00.000+00:00",
"number": "6",
"summary": "Exploit f\u00fcr CVE-2025-55130 aufgenommen"
},
{
"date": "2026-02-04T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2026-02-05T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-02-09T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-02-10T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat, Rocky Enterprise Software Foundation und Oracle Linux aufgenommen"
},
{
"date": "2026-02-11T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-12T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von SUSE und Oracle Linux aufgenommen"
},
{
"date": "2026-02-16T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-02-17T23:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Red Hat, openSUSE und Oracle Linux aufgenommen"
},
{
"date": "2026-02-18T23:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Oracle Linux und SUSE aufgenommen"
},
{
"date": "2026-03-17T23:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2026-03-29T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2026-04-12T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von Red Hat und Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2026-04-13T22:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von SUSE und Oracle Linux aufgenommen"
},
{
"date": "2026-04-15T22:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von SUSE und Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2026-04-20T22:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-04-21T22:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von SUSE und openSUSE aufgenommen"
},
{
"date": "2026-05-03T22:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-05-10T22:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2026-05-14T22:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2026-05-25T22:00:00.000+00:00",
"number": "26",
"summary": "Neue Updates von Debian aufgenommen"
}
],
"status": "final",
"version": "26"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "WebUI",
"product": {
"name": "HCL BigFix WebUI",
"product_id": "T036098",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:webui"
}
}
}
],
"category": "product_name",
"name": "BigFix"
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c20.20.0",
"product": {
"name": "Open Source Node.js \u003c20.20.0",
"product_id": "T049912"
}
},
{
"category": "product_version",
"name": "20.20.0",
"product": {
"name": "Open Source Node.js 20.20.0",
"product_id": "T049912-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:20.20.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c22.22.0",
"product": {
"name": "Open Source Node.js \u003c22.22.0",
"product_id": "T049913"
}
},
{
"category": "product_version",
"name": "22.22.0",
"product": {
"name": "Open Source Node.js 22.22.0",
"product_id": "T049913-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:22.22.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c24.13.0",
"product": {
"name": "Open Source Node.js \u003c24.13.0",
"product_id": "T049914"
}
},
{
"category": "product_version",
"name": "24.13.0",
"product": {
"name": "Open Source Node.js 24.13.0",
"product_id": "T049914-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:24.13.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c25.3.0",
"product": {
"name": "Open Source Node.js \u003c25.3.0",
"product_id": "T049915"
}
},
{
"category": "product_version",
"name": "25.3.0",
"product": {
"name": "Open Source Node.js 25.3.0",
"product_id": "T049915-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nodejs:nodejs:25.3.0"
}
}
}
],
"category": "product_name",
"name": "Node.js"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-55130"
},
{
"cve": "CVE-2025-55131",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-55131"
},
{
"cve": "CVE-2025-55132",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-55132"
},
{
"cve": "CVE-2025-59464",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2025-59465",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-59465"
},
{
"cve": "CVE-2025-59466",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-59466"
},
{
"cve": "CVE-2026-21636",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2026-21636"
},
{
"cve": "CVE-2026-21637",
"product_status": {
"known_affected": [
"T049914",
"T049913",
"T049912",
"2951",
"T002207",
"67646",
"T049915",
"T027843",
"T004914",
"T036098",
"T032255"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2026-21637"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…