Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-22036 (GCVE-0-2026-22036)
Vulnerability from cvelistv5 – Published: 2026-01-14 19:07 – Updated: 2026-01-22 20:17
VLAI
EPSS
Title
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nodejs/undici/security/advisor… | x_refsource_CONFIRM |
| https://github.com/nodejs/undici/commit/b04e3cbb5… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T19:17:52.809988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:18:24.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "undici",
"vendor": "nodejs",
"versions": [
{
"status": "affected",
"version": "\u003c 6.23.0"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.18.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T20:17:20.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9"
},
{
"name": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3"
}
],
"source": {
"advisory": "GHSA-g9mf-h72j-4rw9",
"discovery": "UNKNOWN"
},
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22036",
"datePublished": "2026-01-14T19:07:13.745Z",
"dateReserved": "2026-01-05T22:30:38.719Z",
"dateUpdated": "2026-01-22T20:17:20.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-22036",
"date": "2026-06-16",
"epss": "0.00433",
"percentile": "0.34363"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-22036\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-14T19:16:47.833\",\"lastModified\":\"2026-01-22T21:15:50.070\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.23.0\",\"matchCriteriaId\":\"5233A98F-D94B-41A6-9D16-4E69159ABF37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.18.2\",\"matchCriteriaId\":\"EF11F080-1703-43FC-86C0-BF257C4A2540\"}]}]}],\"references\":[{\"url\":\"https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22036\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-14T19:17:52.809988Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-14T19:18:13.756Z\"}}], \"cna\": {\"title\": \"Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion\", \"source\": {\"advisory\": \"GHSA-g9mf-h72j-4rw9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nodejs\", \"product\": \"undici\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.23.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.0.0, \u003c 7.18.2\"}]}], \"references\": [{\"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9\", \"name\": \"https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3\", \"name\": \"https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-22T20:17:20.208Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-22036\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T20:17:20.208Z\", \"dateReserved\": \"2026-01-05T22:30:38.719Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-14T19:07:13.745Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0500
Vulnerability from certfr_avis - Published: 2026-04-27 - Updated: 2026-04-27
De multiples vulnérabilités ont été découvertes dans VMware Tanzu. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tanzu Greenplum Platform Extension Framework versions ant\u00e9rieures \u00e0 8.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu Data Lake versions ant\u00e9rieures \u00e0 4.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2019-12384",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12384"
},
{
"name": "CVE-2019-17267",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17267"
},
{
"name": "CVE-2026-2229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2229"
},
{
"name": "CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"name": "CVE-2026-33871",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
},
{
"name": "CVE-2026-22737",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22737"
},
{
"name": "CVE-2026-3449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3449"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-33201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33201"
},
{
"name": "CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"name": "CVE-2026-24098",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24098"
},
{
"name": "CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"name": "CVE-2026-24734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24734"
},
{
"name": "CVE-2021-0341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-0341"
},
{
"name": "CVE-2025-66614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66614"
},
{
"name": "CVE-2020-9546",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
},
{
"name": "CVE-2025-56200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-56200"
},
{
"name": "CVE-2020-10673",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
},
{
"name": "CVE-2020-35728",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35728"
},
{
"name": "CVE-2020-36181",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36181"
},
{
"name": "CVE-2026-1527",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1527"
},
{
"name": "CVE-2020-9548",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
},
{
"name": "CVE-2020-36182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36182"
},
{
"name": "CVE-2020-24616",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24616"
},
{
"name": "CVE-2026-41239",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41239"
},
{
"name": "CVE-2020-36185",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36185"
},
{
"name": "CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"name": "CVE-2023-34610",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34610"
},
{
"name": "CVE-2024-47561",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
},
{
"name": "CVE-2019-16942",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16942"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2026-34486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34486"
},
{
"name": "CVE-2026-1525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1525"
},
{
"name": "CVE-2018-1320",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1320"
},
{
"name": "CVE-2020-9547",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
},
{
"name": "CVE-2026-29145",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29145"
},
{
"name": "CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"name": "CVE-2025-49128",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49128"
},
{
"name": "CVE-2020-36179",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36179"
},
{
"name": "CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"name": "CVE-2020-10650",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10650"
},
{
"name": "CVE-2025-1647",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1647"
},
{
"name": "CVE-2020-36186",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36186"
},
{
"name": "CVE-2026-23745",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23745"
},
{
"name": "CVE-2025-7962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7962"
},
{
"name": "CVE-2020-36189",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36189"
},
{
"name": "CVE-2019-20444",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
},
{
"name": "CVE-2020-35490",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35490"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2026-33870",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
},
{
"name": "CVE-2023-34454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34454"
},
{
"name": "CVE-2021-20190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20190"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2020-13949",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
},
{
"name": "CVE-2023-33202",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33202"
},
{
"name": "CVE-2024-13009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13009"
},
{
"name": "CVE-2023-26115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26115"
},
{
"name": "CVE-2025-54550",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54550"
},
{
"name": "CVE-2025-54920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54920"
},
{
"name": "CVE-2024-34447",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
},
{
"name": "CVE-2019-16335",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16335"
},
{
"name": "CVE-2023-34453",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34453"
},
{
"name": "CVE-2025-33042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33042"
},
{
"name": "CVE-2024-11831",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11831"
},
{
"name": "CVE-2018-7489",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7489"
},
{
"name": "CVE-2025-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
},
{
"name": "CVE-2026-34500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34500"
},
{
"name": "CVE-2025-9624",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9624"
},
{
"name": "CVE-2026-34043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34043"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2025-64718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64718"
},
{
"name": "CVE-2020-11113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11113"
},
{
"name": "CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"name": "CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"name": "CVE-2026-33671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33671"
},
{
"name": "CVE-2026-33532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33532"
},
{
"name": "CVE-2025-68470",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68470"
},
{
"name": "CVE-2025-67721",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67721"
},
{
"name": "CVE-2024-23454",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23454"
},
{
"name": "CVE-2020-10672",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2019-14439",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14439"
},
{
"name": "CVE-2026-33750",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33750"
},
{
"name": "CVE-2025-66236",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66236"
},
{
"name": "CVE-2020-10969",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10969"
},
{
"name": "CVE-2024-48910",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48910"
},
{
"name": "CVE-2024-8184",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
},
{
"name": "CVE-2025-11143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11143"
},
{
"name": "CVE-2026-34480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34480"
},
{
"name": "CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"name": "CVE-2025-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
},
{
"name": "CVE-2026-33228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33228"
},
{
"name": "CVE-2025-12758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12758"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2020-36187",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36187"
},
{
"name": "CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"name": "CVE-2024-57083",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57083"
},
{
"name": "CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"name": "CVE-2024-23953",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23953"
},
{
"name": "CVE-2026-29074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29074"
},
{
"name": "CVE-2025-68161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68161"
},
{
"name": "CVE-2023-34455",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34455"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2026-41240",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41240"
},
{
"name": "CVE-2026-26960",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26960"
},
{
"name": "CVE-2020-11620",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11620"
},
{
"name": "CVE-2024-53382",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53382"
},
{
"name": "CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"name": "CVE-2024-47554",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
},
{
"name": "CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"name": "CVE-2018-5968",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5968"
},
{
"name": "CVE-2025-61795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
},
{
"name": "CVE-2026-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27903"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2020-24750",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24750"
},
{
"name": "CVE-2025-27821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27821"
},
{
"name": "CVE-2022-41404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41404"
},
{
"name": "CVE-2023-39410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39410"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"name": "CVE-2026-22732",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22732"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"name": "CVE-2026-34487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34487"
},
{
"name": "CVE-2025-27555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27555"
},
{
"name": "CVE-2025-65995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65995"
},
{
"name": "CVE-2022-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
},
{
"name": "CVE-2019-16943",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16943"
},
{
"name": "CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"name": "CVE-2026-24842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24842"
},
{
"name": "CVE-2017-7525",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
},
{
"name": "CVE-2026-23950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23950"
},
{
"name": "CVE-2019-20330",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
},
{
"name": "CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"name": "CVE-2020-14195",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14195"
},
{
"name": "CVE-2018-10237",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10237"
},
{
"name": "CVE-2019-12814",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12814"
},
{
"name": "CVE-2020-35491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35491"
},
{
"name": "CVE-2019-17531",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17531"
},
{
"name": "CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"name": "CVE-2023-52428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
},
{
"name": "CVE-2025-69873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69873"
},
{
"name": "CVE-2020-14061",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14061"
},
{
"name": "CVE-2024-6485",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
},
{
"name": "CVE-2025-67735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67735"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2025-68458",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68458"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2020-11619",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11619"
},
{
"name": "CVE-2026-29786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29786"
},
{
"name": "CVE-2025-26791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26791"
},
{
"name": "CVE-2020-36183",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36183"
},
{
"name": "CVE-2026-25854",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25854"
},
{
"name": "CVE-2021-22573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22573"
},
{
"name": "CVE-2020-8840",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
},
{
"name": "CVE-2026-2332",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
},
{
"name": "CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"name": "CVE-2026-1526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1526"
},
{
"name": "CVE-2019-0205",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0205"
},
{
"name": "CVE-2024-47875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
},
{
"name": "CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"name": "CVE-2026-33672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33672"
},
{
"name": "CVE-2020-8908",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
},
{
"name": "CVE-2024-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
},
{
"name": "CVE-2020-36184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36184"
},
{
"name": "CVE-2023-42503",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42503"
},
{
"name": "CVE-2024-56373",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56373"
},
{
"name": "CVE-2026-25639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
},
{
"name": "CVE-2020-36180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36180"
},
{
"name": "CVE-2024-28863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"name": "CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"name": "CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"name": "CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"name": "CVE-2026-22735",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22735"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2026-24733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24733"
},
{
"name": "CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"name": "CVE-2025-68157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68157"
},
{
"name": "CVE-2017-15095",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-15095"
},
{
"name": "CVE-2019-14540",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14540"
},
{
"name": "CVE-2024-36114",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36114"
},
{
"name": "CVE-2025-27789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
},
{
"name": "CVE-2019-12086",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12086"
},
{
"name": "CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"name": "CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"name": "CVE-2025-8916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8916"
},
{
"name": "CVE-2025-8885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8885"
},
{
"name": "CVE-2025-41249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
},
{
"name": "CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"name": "CVE-2026-26996",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26996"
},
{
"name": "CVE-2020-10968",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10968"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2020-25649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
},
{
"name": "CVE-2025-68675",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68675"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2017-17485",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17485"
},
{
"name": "CVE-2026-34483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34483"
},
{
"name": "CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"name": "CVE-2026-32141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32141"
},
{
"name": "CVE-2025-59419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59419"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2019-14379",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14379"
},
{
"name": "CVE-2023-26136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26136"
},
{
"name": "CVE-2026-33816",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33816"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2026-25219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25219"
},
{
"name": "CVE-2020-11112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11112"
},
{
"name": "CVE-2020-11111",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11111"
},
{
"name": "CVE-2026-31802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31802"
},
{
"name": "CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"name": "CVE-2025-22227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22227"
},
{
"name": "CVE-2026-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27904"
},
{
"name": "CVE-2026-1225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1225"
},
{
"name": "CVE-2020-14060",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14060"
},
{
"name": "CVE-2020-36188",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36188"
},
{
"name": "CVE-2016-1000027",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000027"
},
{
"name": "CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"name": "CVE-2019-14892",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14892"
},
{
"name": "CVE-2019-20445",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
},
{
"name": "CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"name": "CVE-2025-11226",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11226"
},
{
"name": "CVE-2020-14062",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14062"
}
],
"initial_release_date": "2026-04-27T00:00:00",
"last_revision_date": "2026-04-27T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0500",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans VMware Tanzu. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu",
"vendor_advisories": [
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37405",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405"
},
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37404",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404"
}
]
}
CERTFR-2026-AVI-0667
Vulnerability from certfr_avis - Published: 2026-05-29 - Updated: 2026-05-29
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Cognos Analytics | Cognos Analytics Mobile versions antérieures à 1.1.26 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.3.1.0 sans le correctif iFix09 | ||
| IBM | Tivoli Monitoring | Tivoli Monitoring sans le dernier correctif de sécurité | ||
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.0 antérieures à 7.5.0 UP15 IF03 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.4.2.0 sans le correctif iFix04 | ||
| IBM | QRadar Suite Software | QRadar Suite Software versions antérieures à 1.11.11.0 | ||
| IBM | N/A | Analyst Workflow versions antérieures à 3.1.0 | ||
| IBM | Cloud Pak | Cloud Pak for Security versions antérieures à 1.11.11.0 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.4.1.0 sans le correctif iFix03 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Cognos Analytics Mobile versions ant\u00e9rieures \u00e0 1.1.26",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.3.1.0 sans le correctif iFix09",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Tivoli Monitoring sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Tivoli Monitoring",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 UP15 IF03",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.2.0 sans le correctif iFix04",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions ant\u00e9rieures \u00e0 1.11.11.0",
"product": {
"name": "QRadar Suite Software",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Analyst Workflow versions ant\u00e9rieures \u00e0 3.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak for Security versions ant\u00e9rieures \u00e0 1.11.11.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.1.0 sans le correctif iFix03",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-27980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27980"
},
{
"name": "CVE-2026-35388",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35388"
},
{
"name": "CVE-2006-10003",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-10003"
},
{
"name": "CVE-2026-27135",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27135"
},
{
"name": "CVE-2026-41324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41324"
},
{
"name": "CVE-2026-40466",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40466"
},
{
"name": "CVE-2026-2229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2229"
},
{
"name": "CVE-2026-35386",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35386"
},
{
"name": "CVE-2026-32597",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32597"
},
{
"name": "CVE-2025-12816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12816"
},
{
"name": "CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2025-53643",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53643"
},
{
"name": "CVE-2025-68741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68741"
},
{
"name": "CVE-2026-33349",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33349"
},
{
"name": "CVE-2026-34982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34982"
},
{
"name": "CVE-2026-33940",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33940"
},
{
"name": "CVE-2024-12797",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
},
{
"name": "CVE-2026-40974",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40974"
},
{
"name": "CVE-2026-1527",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1527"
},
{
"name": "CVE-2026-32875",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32875"
},
{
"name": "CVE-2026-31988",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31988"
},
{
"name": "CVE-2024-28102",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28102"
},
{
"name": "CVE-2026-40977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40977"
},
{
"name": "CVE-2026-22013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22013"
},
{
"name": "CVE-2026-28421",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28421"
},
{
"name": "CVE-2026-1525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1525"
},
{
"name": "CVE-2026-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22018"
},
{
"name": "CVE-2026-31431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
},
{
"name": "CVE-2025-6176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6176"
},
{
"name": "CVE-2025-11953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11953"
},
{
"name": "CVE-2026-23745",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23745"
},
{
"name": "CVE-2025-59471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59471"
},
{
"name": "CVE-2026-33941",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33941"
},
{
"name": "CVE-2026-0848",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0848"
},
{
"name": "CVE-2025-41248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41248"
},
{
"name": "CVE-2026-33412",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33412"
},
{
"name": "CVE-2026-5121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5121"
},
{
"name": "CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"name": "CVE-2026-34282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34282"
},
{
"name": "CVE-2025-59472",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59472"
},
{
"name": "CVE-2026-2581",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2581"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2025-64718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64718"
},
{
"name": "CVE-2026-23401",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23401"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-66031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66031"
},
{
"name": "CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"name": "CVE-2026-21860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21860"
},
{
"name": "CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"name": "CVE-2026-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0847"
},
{
"name": "CVE-2026-4424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4424"
},
{
"name": "CVE-2025-6545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6545"
},
{
"name": "CVE-2026-23865",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23865"
},
{
"name": "CVE-2026-28417",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28417"
},
{
"name": "CVE-2023-5764",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5764"
},
{
"name": "CVE-2026-5598",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5598"
},
{
"name": "CVE-2026-30922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30922"
},
{
"name": "CVE-2026-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
},
{
"name": "CVE-2026-2359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2359"
},
{
"name": "CVE-2026-6918",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6918"
},
{
"name": "CVE-2026-35535",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35535"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2026-33939",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33939"
},
{
"name": "CVE-2026-27699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27699"
},
{
"name": "CVE-2025-65945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65945"
},
{
"name": "CVE-2026-33228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33228"
},
{
"name": "CVE-2025-12758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12758"
},
{
"name": "CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"name": "CVE-2026-41044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41044"
},
{
"name": "CVE-2006-10002",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-10002"
},
{
"name": "CVE-2026-5795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5795"
},
{
"name": "CVE-2026-40975",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40975"
},
{
"name": "CVE-2026-27942",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27942"
},
{
"name": "CVE-2024-41073",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41073"
},
{
"name": "CVE-2026-26960",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26960"
},
{
"name": "CVE-2025-5187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5187"
},
{
"name": "CVE-2026-4923",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4923"
},
{
"name": "CVE-2026-4867",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4867"
},
{
"name": "CVE-2024-9902",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9902"
},
{
"name": "CVE-2024-8775",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8775"
},
{
"name": "CVE-2026-27199",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27199"
},
{
"name": "CVE-2026-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27903"
},
{
"name": "CVE-2025-66471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
},
{
"name": "CVE-2026-21441",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
},
{
"name": "CVE-2025-66030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66030"
},
{
"name": "CVE-2024-11079",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11079"
},
{
"name": "CVE-2026-23897",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23897"
},
{
"name": "CVE-2026-35385",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35385"
},
{
"name": "CVE-2026-34601",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34601"
},
{
"name": "CVE-2026-29057",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29057"
},
{
"name": "CVE-2026-32874",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32874"
},
{
"name": "CVE-2026-4519",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4519"
},
{
"name": "CVE-2026-34197",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34197"
},
{
"name": "CVE-2026-25128",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25128"
},
{
"name": "CVE-2025-13333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13333"
},
{
"name": "CVE-2025-12635",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12635"
},
{
"name": "CVE-2026-24842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24842"
},
{
"name": "CVE-2025-66221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66221"
},
{
"name": "CVE-2026-23950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23950"
},
{
"name": "CVE-2026-33036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33036"
},
{
"name": "CVE-2026-35414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35414"
},
{
"name": "CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"name": "CVE-2026-3304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3304"
},
{
"name": "CVE-2026-33916",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33916"
},
{
"name": "CVE-2026-22016",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22016"
},
{
"name": "CVE-2026-22021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22021"
},
{
"name": "CVE-2026-6100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6100"
},
{
"name": "CVE-2026-22007",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22007"
},
{
"name": "CVE-2026-34268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34268"
},
{
"name": "CVE-2026-29786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29786"
},
{
"name": "CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"name": "CVE-2026-1519",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1519"
},
{
"name": "CVE-2026-1528",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1528"
},
{
"name": "CVE-2023-26132",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26132"
},
{
"name": "CVE-2026-1526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1526"
},
{
"name": "CVE-2026-33937",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33937"
},
{
"name": "CVE-2026-31808",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31808"
},
{
"name": "CVE-2026-27459",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27459"
},
{
"name": "CVE-2026-25639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
},
{
"name": "CVE-2026-40973",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40973"
},
{
"name": "CVE-2026-39373",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39373"
},
{
"name": "CVE-2026-27448",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27448"
},
{
"name": "CVE-2026-8620",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8620"
},
{
"name": "CVE-2025-69277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69277"
},
{
"name": "CVE-2026-8633",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8633"
},
{
"name": "CVE-2026-26278",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26278"
},
{
"name": "CVE-2025-22870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
},
{
"name": "CVE-2026-23490",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23490"
},
{
"name": "CVE-2025-14009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14009"
},
{
"name": "CVE-2025-7339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7339"
},
{
"name": "CVE-2025-41249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
},
{
"name": "CVE-2026-25896",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25896"
},
{
"name": "CVE-2026-26996",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26996"
},
{
"name": "CVE-2026-4786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4786"
},
{
"name": "CVE-2026-33938",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33938"
},
{
"name": "CVE-2025-64756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64756"
},
{
"name": "CVE-2026-32141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32141"
},
{
"name": "CVE-2026-30951",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30951"
},
{
"name": "CVE-2026-35387",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35387"
},
{
"name": "CVE-2026-24001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24001"
},
{
"name": "CVE-2025-58754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58754"
},
{
"name": "CVE-2026-27837",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27837"
},
{
"name": "CVE-2025-6547",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6547"
},
{
"name": "CVE-2026-29063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29063"
},
{
"name": "CVE-2026-39983",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39983"
},
{
"name": "CVE-2026-22008",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22008"
},
{
"name": "CVE-2025-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14813"
},
{
"name": "CVE-2026-31802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31802"
},
{
"name": "CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"name": "CVE-2025-67221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67221"
},
{
"name": "CVE-2026-4926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4926"
},
{
"name": "CVE-2026-25547",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25547"
},
{
"name": "CVE-2026-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27904"
},
{
"name": "CVE-2026-2739",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2739"
},
{
"name": "CVE-2024-56462",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56462"
},
{
"name": "CVE-2026-35213",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35213"
},
{
"name": "CVE-2025-66418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
},
{
"name": "CVE-2026-0846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0846"
}
],
"initial_release_date": "2026-05-29T00:00:00",
"last_revision_date": "2026-05-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0667",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274185",
"url": "https://www.ibm.com/support/pages/node/7274185"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274154",
"url": "https://www.ibm.com/support/pages/node/7274154"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274180",
"url": "https://www.ibm.com/support/pages/node/7274180"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274183",
"url": "https://www.ibm.com/support/pages/node/7274183"
},
{
"published_at": "2026-05-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7273957",
"url": "https://www.ibm.com/support/pages/node/7273957"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274184",
"url": "https://www.ibm.com/support/pages/node/7274184"
},
{
"published_at": "2026-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274314",
"url": "https://www.ibm.com/support/pages/node/7274314"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274182",
"url": "https://www.ibm.com/support/pages/node/7274182"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274181",
"url": "https://www.ibm.com/support/pages/node/7274181"
},
{
"published_at": "2026-05-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7273803",
"url": "https://www.ibm.com/support/pages/node/7273803"
},
{
"published_at": "2026-05-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7272901",
"url": "https://www.ibm.com/support/pages/node/7272901"
}
]
}
CERTFR-2026-AVI-0698
Vulnerability from certfr_avis - Published: 2026-06-05 - Updated: 2026-06-05
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere | WebSphere Remote Server versions 9.1, 9.0 et 8.5 sans le dernier correctif de sécurité | ||
| IBM | WebSphere | WebSphere Service Registry and Repository Studio versions 8.5.x antérieures à 8.5.6.3_IJ58210 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.3.0.x antérieures à 6.3.0.19 | ||
| IBM | QRadar Log Source Management App | QRadar Log Source Management App versions antérieures à 7.0.15 | ||
| IBM | WebSphere | WebSphere Application Server versions 8.5.0.0 à 8.5.5.29 sans le correctif de sécurité temporaire PH71453 ou antérieures à 8.5.5.30 (disponibilité prévue pour le troisième trimestre 2026) | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct for Microsoft Windows versions 6.3.0.x antérieures à 6.3.0.6_iFix051 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.4.0.x antérieures à 6.4.0.8 | ||
| IBM | WebSphere | WebSphere Application Server versions 9.0.0.0 à 9.0.5.28 sans le correctif de sécurité temporaire PH71453 ou antérieures à 9.0.5.29 (disponibilité prévue pour le troisième trimestre 2026) | ||
| IBM | QRadar Assistant | QRadar AI Assistant versions antérieures à 2.0.0 | ||
| IBM | WebSphere Service Registry and Repository | WebSphere Service Registry and Repository versions 8.5 sans le dernier correctif de sécurité | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct for Microsoft Windows versions 6.4.0.x antérieures à 6.4.0.4_iFix022 | ||
| IBM | Security QRadar EDR | Security QRadar EDR versions 3.12.x antérieures 3.12.25 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "WebSphere Remote Server versions 9.1, 9.0 et 8.5 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Service Registry and Repository Studio versions 8.5.x ant\u00e9rieures \u00e0 8.5.6.3_IJ58210",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.3.0.x ant\u00e9rieures \u00e0 6.3.0.19",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Log Source Management App versions ant\u00e9rieures \u00e0 7.0.15",
"product": {
"name": "QRadar Log Source Management App",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Application Server versions 8.5.0.0 \u00e0 8.5.5.29 sans le correctif de s\u00e9curit\u00e9 temporaire PH71453 ou ant\u00e9rieures \u00e0 8.5.5.30 (disponibilit\u00e9 pr\u00e9vue pour le troisi\u00e8me trimestre 2026)",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct for Microsoft Windows versions 6.3.0.x ant\u00e9rieures \u00e0 6.3.0.6_iFix051",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.4.0.x ant\u00e9rieures \u00e0 6.4.0.8",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Application Server versions 9.0.0.0 \u00e0 9.0.5.28 sans le correctif de s\u00e9curit\u00e9 temporaire PH71453 ou ant\u00e9rieures \u00e0 9.0.5.29 (disponibilit\u00e9 pr\u00e9vue pour le troisi\u00e8me trimestre 2026)",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar AI Assistant versions ant\u00e9rieures \u00e0 2.0.0",
"product": {
"name": "QRadar Assistant",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Service Registry and Repository versions 8.5 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "WebSphere Service Registry and Repository",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct for Microsoft Windows versions 6.4.0.x ant\u00e9rieures \u00e0 6.4.0.4_iFix022",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Security QRadar EDR versions 3.12.x ant\u00e9rieures 3.12.25",
"product": {
"name": "Security QRadar EDR",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-26007",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26007"
},
{
"name": "CVE-2026-2229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2229"
},
{
"name": "CVE-2026-33871",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
},
{
"name": "CVE-2025-12816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12816"
},
{
"name": "CVE-2026-42041",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
},
{
"name": "CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"name": "CVE-2026-33895",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33895"
},
{
"name": "CVE-2026-39892",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39892"
},
{
"name": "CVE-2026-32286",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32286"
},
{
"name": "CVE-2026-44432",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44432"
},
{
"name": "CVE-2026-25793",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25793"
},
{
"name": "CVE-2026-1527",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1527"
},
{
"name": "CVE-2025-66035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66035"
},
{
"name": "CVE-2026-41239",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41239"
},
{
"name": "CVE-2024-28102",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28102"
},
{
"name": "CVE-2026-22013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22013"
},
{
"name": "CVE-2026-1525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1525"
},
{
"name": "CVE-2026-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22018"
},
{
"name": "CVE-2026-41314",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41314"
},
{
"name": "CVE-2026-33870",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
},
{
"name": "CVE-2026-42036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42036"
},
{
"name": "CVE-2026-41313",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41313"
},
{
"name": "CVE-2026-2581",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2581"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2022-35961",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35961"
},
{
"name": "CVE-2026-9319",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9319"
},
{
"name": "CVE-2025-66031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66031"
},
{
"name": "CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"name": "CVE-2026-25645",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25645"
},
{
"name": "CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"name": "CVE-2026-0540",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0540"
},
{
"name": "CVE-2026-33671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33671"
},
{
"name": "CVE-2026-33894",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33894"
},
{
"name": "CVE-2026-33532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33532"
},
{
"name": "CVE-2026-42033",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
},
{
"name": "CVE-2026-42035",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
},
{
"name": "CVE-2026-33750",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33750"
},
{
"name": "CVE-2026-34478",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34478"
},
{
"name": "CVE-2026-2359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2359"
},
{
"name": "CVE-2026-42043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
},
{
"name": "CVE-2025-11143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11143"
},
{
"name": "CVE-2026-34480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34480"
},
{
"name": "CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"name": "CVE-2025-68161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68161"
},
{
"name": "CVE-2026-41240",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41240"
},
{
"name": "CVE-2026-34479",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34479"
},
{
"name": "CVE-2026-8644",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8644"
},
{
"name": "CVE-2026-42040",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42040"
},
{
"name": "CVE-2026-4923",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4923"
},
{
"name": "CVE-2026-41312",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41312"
},
{
"name": "CVE-2026-33891",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33891"
},
{
"name": "CVE-2025-66030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66030"
},
{
"name": "CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"name": "CVE-2026-3304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3304"
},
{
"name": "CVE-2026-40895",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40895"
},
{
"name": "CVE-2026-42198",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42198"
},
{
"name": "CVE-2026-22016",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22016"
},
{
"name": "CVE-2026-22021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22021"
},
{
"name": "CVE-2026-22007",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22007"
},
{
"name": "CVE-2026-34268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34268"
},
{
"name": "CVE-2026-41481",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41481"
},
{
"name": "CVE-2026-42038",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42038"
},
{
"name": "CVE-2026-2332",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
},
{
"name": "CVE-2026-1528",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1528"
},
{
"name": "CVE-2026-42039",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
},
{
"name": "CVE-2025-15599",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15599"
},
{
"name": "CVE-2026-1526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1526"
},
{
"name": "CVE-2025-47913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47913"
},
{
"name": "CVE-2026-33672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33672"
},
{
"name": "CVE-2026-33151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33151"
},
{
"name": "CVE-2025-58181",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58181"
},
{
"name": "CVE-2025-47914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47914"
},
{
"name": "CVE-2026-42044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
},
{
"name": "CVE-2026-39373",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39373"
},
{
"name": "CVE-2026-41425",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41425"
},
{
"name": "CVE-2026-8620",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8620"
},
{
"name": "CVE-2026-8633",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8633"
},
{
"name": "CVE-2026-42034",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42034"
},
{
"name": "CVE-2026-9330",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9330"
},
{
"name": "CVE-2025-27789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
},
{
"name": "CVE-2026-9311",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9311"
},
{
"name": "CVE-2026-44431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44431"
},
{
"name": "CVE-2026-41238",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41238"
},
{
"name": "CVE-2022-24771",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24771"
},
{
"name": "CVE-2026-30951",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30951"
},
{
"name": "CVE-2026-42037",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42037"
},
{
"name": "CVE-2026-42042",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42042"
},
{
"name": "CVE-2026-41168",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41168"
},
{
"name": "CVE-2026-34477",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34477"
},
{
"name": "CVE-2026-41205",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41205"
},
{
"name": "CVE-2026-29063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29063"
},
{
"name": "CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"name": "CVE-2026-4926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4926"
},
{
"name": "CVE-2026-33896",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33896"
},
{
"name": "CVE-2026-24486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24486"
}
],
"initial_release_date": "2026-06-05T00:00:00",
"last_revision_date": "2026-06-05T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0698",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-05T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274859",
"url": "https://www.ibm.com/support/pages/node/7274859"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274847",
"url": "https://www.ibm.com/support/pages/node/7274847"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274843",
"url": "https://www.ibm.com/support/pages/node/7274843"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274827",
"url": "https://www.ibm.com/support/pages/node/7274827"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274845",
"url": "https://www.ibm.com/support/pages/node/7274845"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274733",
"url": "https://www.ibm.com/support/pages/node/7274733"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274954",
"url": "https://www.ibm.com/support/pages/node/7274954"
},
{
"published_at": "2026-06-03",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7275089",
"url": "https://www.ibm.com/support/pages/node/7275089"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274746",
"url": "https://www.ibm.com/support/pages/node/7274746"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274858",
"url": "https://www.ibm.com/support/pages/node/7274858"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274738",
"url": "https://www.ibm.com/support/pages/node/7274738"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274740",
"url": "https://www.ibm.com/support/pages/node/7274740"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274860",
"url": "https://www.ibm.com/support/pages/node/7274860"
},
{
"published_at": "2026-06-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274750",
"url": "https://www.ibm.com/support/pages/node/7274750"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274846",
"url": "https://www.ibm.com/support/pages/node/7274846"
},
{
"published_at": "2026-06-03",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7275012",
"url": "https://www.ibm.com/support/pages/node/7275012"
},
{
"published_at": "2026-05-29",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274512",
"url": "https://www.ibm.com/support/pages/node/7274512"
},
{
"published_at": "2026-06-02",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7273815",
"url": "https://www.ibm.com/support/pages/node/7273815"
}
]
}
FKIE_CVE-2026-22036
Vulnerability from fkie_nvd - Published: 2026-01-14 19:16 - Updated: 2026-01-22 21:15
Severity
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5233A98F-D94B-41A6-9D16-4E69159ABF37",
"versionEndExcluding": "6.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "EF11F080-1703-43FC-86C0-BF257C4A2540",
"versionEndExcluding": "7.18.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0."
},
{
"lang": "es",
"value": "Undici es un cliente HTTP/1.1 para Node.js. Antes de 7.18.0 y 6.23.0, el n\u00famero de enlaces en la cadena de descompresi\u00f3n es ilimitado y el maxHeaderSize predeterminado permite a un servidor malicioso insertar miles de pasos de compresi\u00f3n, lo que lleva a un alto uso de CPU y una asignaci\u00f3n excesiva de memoria. Esta vulnerabilidad est\u00e1 corregida en 7.18.0 y 6.23.0."
}
],
"id": "CVE-2026-22036",
"lastModified": "2026-01-22T21:15:50.070",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-01-14T19:16:47.833",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-G9MF-H72J-4RW9
Vulnerability from github – Published: 2026-01-14 21:06 – Updated: 2026-01-22 20:17
VLAI
Summary
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Details
Impact
The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.
However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.
Patches
Upgrade to 7.18.2 or 6.23.0.
Workarounds
It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.
References
- https://hackerone.com/reports/3456148
- https://github.com/advisories/GHSA-gm62-xv2j-4w53
- https://curl.se/docs/CVE-2022-32206.html
Severity
5.9 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.18.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22036"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-14T21:06:08Z",
"nvd_published_at": "2026-01-14T19:16:47Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.\n\nHowever, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.\n\n### Patches\n\nUpgrade to 7.18.2 or 6.23.0.\n\n### Workarounds\n\nIt is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually.\n\n### References\n\n* https://hackerone.com/reports/3456148\n* https://github.com/advisories/GHSA-gm62-xv2j-4w53\n* https://curl.se/docs/CVE-2022-32206.html",
"id": "GHSA-g9mf-h72j-4rw9",
"modified": "2026-01-22T20:17:07Z",
"published": "2026-01-14T21:06:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion"
}
OPENSUSE-SU-2026:10074-1
Vulnerability from csaf_opensuse - Published: 2026-01-21 00:00 - Updated: 2026-01-21 00:00Summary
corepack22-22.22.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: corepack22-22.22.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the corepack22-22.22.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10074
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
23 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2025-55130/ | self |
| https://www.suse.com/security/cve/CVE-2025-55131/ | self |
| https://www.suse.com/security/cve/CVE-2025-55132/ | self |
| https://www.suse.com/security/cve/CVE-2025-59465/ | self |
| https://www.suse.com/security/cve/CVE-2025-59466/ | self |
| https://www.suse.com/security/cve/CVE-2026-21637/ | self |
| https://www.suse.com/security/cve/CVE-2026-22036/ | self |
| https://www.suse.com/security/cve/CVE-2025-55130 | external |
| https://bugzilla.suse.com/1256569 | external |
| https://www.suse.com/security/cve/CVE-2025-55131 | external |
| https://bugzilla.suse.com/1256570 | external |
| https://www.suse.com/security/cve/CVE-2025-55132 | external |
| https://bugzilla.suse.com/1256571 | external |
| https://www.suse.com/security/cve/CVE-2025-59465 | external |
| https://bugzilla.suse.com/1256573 | external |
| https://www.suse.com/security/cve/CVE-2025-59466 | external |
| https://bugzilla.suse.com/1256574 | external |
| https://www.suse.com/security/cve/CVE-2026-21637 | external |
| https://bugzilla.suse.com/1256576 | external |
| https://www.suse.com/security/cve/CVE-2026-22036 | external |
| https://bugzilla.suse.com/1256843 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "corepack22-22.22.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the corepack22-22.22.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10074",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10074-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55130 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55130/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55131 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55131/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55132 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55132/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59465 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59465/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59466 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59466/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-22036 page",
"url": "https://www.suse.com/security/cve/CVE-2026-22036/"
}
],
"title": "corepack22-22.22.0-1.1 on GA media",
"tracking": {
"current_release_date": "2026-01-21T00:00:00Z",
"generator": {
"date": "2026-01-21T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10074-1",
"initial_release_date": "2026-01-21T00:00:00Z",
"revision_history": [
{
"date": "2026-01-21T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-1.1.aarch64",
"product": {
"name": "corepack22-22.22.0-1.1.aarch64",
"product_id": "corepack22-22.22.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-1.1.aarch64",
"product": {
"name": "nodejs22-22.22.0-1.1.aarch64",
"product_id": "nodejs22-22.22.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-1.1.aarch64",
"product": {
"name": "nodejs22-devel-22.22.0-1.1.aarch64",
"product_id": "nodejs22-devel-22.22.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-docs-22.22.0-1.1.aarch64",
"product": {
"name": "nodejs22-docs-22.22.0-1.1.aarch64",
"product_id": "nodejs22-docs-22.22.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-1.1.aarch64",
"product": {
"name": "npm22-22.22.0-1.1.aarch64",
"product_id": "npm22-22.22.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-1.1.ppc64le",
"product": {
"name": "corepack22-22.22.0-1.1.ppc64le",
"product_id": "corepack22-22.22.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-1.1.ppc64le",
"product": {
"name": "nodejs22-22.22.0-1.1.ppc64le",
"product_id": "nodejs22-22.22.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-1.1.ppc64le",
"product": {
"name": "nodejs22-devel-22.22.0-1.1.ppc64le",
"product_id": "nodejs22-devel-22.22.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-docs-22.22.0-1.1.ppc64le",
"product": {
"name": "nodejs22-docs-22.22.0-1.1.ppc64le",
"product_id": "nodejs22-docs-22.22.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-1.1.ppc64le",
"product": {
"name": "npm22-22.22.0-1.1.ppc64le",
"product_id": "npm22-22.22.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-1.1.s390x",
"product": {
"name": "corepack22-22.22.0-1.1.s390x",
"product_id": "corepack22-22.22.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-1.1.s390x",
"product": {
"name": "nodejs22-22.22.0-1.1.s390x",
"product_id": "nodejs22-22.22.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-1.1.s390x",
"product": {
"name": "nodejs22-devel-22.22.0-1.1.s390x",
"product_id": "nodejs22-devel-22.22.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-docs-22.22.0-1.1.s390x",
"product": {
"name": "nodejs22-docs-22.22.0-1.1.s390x",
"product_id": "nodejs22-docs-22.22.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-1.1.s390x",
"product": {
"name": "npm22-22.22.0-1.1.s390x",
"product_id": "npm22-22.22.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-1.1.x86_64",
"product": {
"name": "corepack22-22.22.0-1.1.x86_64",
"product_id": "corepack22-22.22.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-1.1.x86_64",
"product": {
"name": "nodejs22-22.22.0-1.1.x86_64",
"product_id": "nodejs22-22.22.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-1.1.x86_64",
"product": {
"name": "nodejs22-devel-22.22.0-1.1.x86_64",
"product_id": "nodejs22-devel-22.22.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-docs-22.22.0-1.1.x86_64",
"product": {
"name": "nodejs22-docs-22.22.0-1.1.x86_64",
"product_id": "nodejs22-docs-22.22.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-1.1.x86_64",
"product": {
"name": "npm22-22.22.0-1.1.x86_64",
"product_id": "npm22-22.22.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64"
},
"product_reference": "corepack22-22.22.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le"
},
"product_reference": "corepack22-22.22.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x"
},
"product_reference": "corepack22-22.22.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64"
},
"product_reference": "corepack22-22.22.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64"
},
"product_reference": "nodejs22-22.22.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le"
},
"product_reference": "nodejs22-22.22.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x"
},
"product_reference": "nodejs22-22.22.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64"
},
"product_reference": "nodejs22-22.22.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64"
},
"product_reference": "nodejs22-devel-22.22.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le"
},
"product_reference": "nodejs22-devel-22.22.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x"
},
"product_reference": "nodejs22-devel-22.22.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64"
},
"product_reference": "nodejs22-devel-22.22.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64"
},
"product_reference": "nodejs22-docs-22.22.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le"
},
"product_reference": "nodejs22-docs-22.22.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x"
},
"product_reference": "nodejs22-docs-22.22.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64"
},
"product_reference": "nodejs22-docs-22.22.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64"
},
"product_reference": "npm22-22.22.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le"
},
"product_reference": "npm22-22.22.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x"
},
"product_reference": "npm22-22.22.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
},
"product_reference": "npm22-22.22.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55130"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55130",
"url": "https://www.suse.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "SUSE Bug 1256569 for CVE-2025-55130",
"url": "https://bugzilla.suse.com/1256569"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-55130"
},
{
"cve": "CVE-2025-55131",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55131"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55131",
"url": "https://www.suse.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "SUSE Bug 1256570 for CVE-2025-55131",
"url": "https://bugzilla.suse.com/1256570"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-55131"
},
{
"cve": "CVE-2025-55132",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55132"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s permission model allows a file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55132",
"url": "https://www.suse.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "SUSE Bug 1256571 for CVE-2025-55132",
"url": "https://bugzilla.suse.com/1256571"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-55132"
},
{
"cve": "CVE-2025-59465",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59465"
}
],
"notes": [
{
"category": "general",
"text": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n socket.on(\u0027error\u0027, err =\u003e {\n console.log(err)\n })\n})\n```",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59465",
"url": "https://www.suse.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "SUSE Bug 1256573 for CVE-2025-59465",
"url": "https://bugzilla.suse.com/1256573"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-59465"
},
{
"cve": "CVE-2025-59466",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59466"
}
],
"notes": [
{
"category": "general",
"text": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59466",
"url": "https://www.suse.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "SUSE Bug 1256574 for CVE-2025-59466",
"url": "https://bugzilla.suse.com/1256574"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-59466"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-22036",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-22036"
}
],
"notes": [
{
"category": "general",
"text": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-22036",
"url": "https://www.suse.com/security/cve/CVE-2026-22036"
},
{
"category": "external",
"summary": "SUSE Bug 1256843 for CVE-2026-22036",
"url": "https://bugzilla.suse.com/1256843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:corepack22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-devel-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:nodejs22-docs-22.22.0-1.1.x86_64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.aarch64",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.s390x",
"openSUSE Tumbleweed:npm22-22.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-22036"
}
]
}
OPENSUSE-SU-2026:10075-1
Vulnerability from csaf_opensuse - Published: 2026-01-21 00:00 - Updated: 2026-01-21 00:00Summary
corepack24-24.13.0-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: corepack24-24.13.0-2.1 on GA media
Description of the patch: These are all security issues fixed in the corepack24-24.13.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10075
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.13.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.13.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.13.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:corepack24-24.13.0-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.13.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.13.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.13.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-24.13.0-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.13.0-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.13.0-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.13.0-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:npm24-24.13.0-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "corepack24-24.13.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the corepack24-24.13.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10075",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10075-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-22036 page",
"url": "https://www.suse.com/security/cve/CVE-2026-22036/"
}
],
"title": "corepack24-24.13.0-2.1 on GA media",
"tracking": {
"current_release_date": "2026-01-21T00:00:00Z",
"generator": {
"date": "2026-01-21T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10075-1",
"initial_release_date": "2026-01-21T00:00:00Z",
"revision_history": [
{
"date": "2026-01-21T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.13.0-2.1.aarch64",
"product": {
"name": "corepack24-24.13.0-2.1.aarch64",
"product_id": "corepack24-24.13.0-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.13.0-2.1.aarch64",
"product": {
"name": "nodejs24-24.13.0-2.1.aarch64",
"product_id": "nodejs24-24.13.0-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.13.0-2.1.aarch64",
"product": {
"name": "nodejs24-devel-24.13.0-2.1.aarch64",
"product_id": "nodejs24-devel-24.13.0-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.13.0-2.1.aarch64",
"product": {
"name": "nodejs24-docs-24.13.0-2.1.aarch64",
"product_id": "nodejs24-docs-24.13.0-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.13.0-2.1.aarch64",
"product": {
"name": "npm24-24.13.0-2.1.aarch64",
"product_id": "npm24-24.13.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.13.0-2.1.ppc64le",
"product": {
"name": "corepack24-24.13.0-2.1.ppc64le",
"product_id": "corepack24-24.13.0-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.13.0-2.1.ppc64le",
"product": {
"name": "nodejs24-24.13.0-2.1.ppc64le",
"product_id": "nodejs24-24.13.0-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.13.0-2.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.13.0-2.1.ppc64le",
"product_id": "nodejs24-devel-24.13.0-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.13.0-2.1.ppc64le",
"product": {
"name": "nodejs24-docs-24.13.0-2.1.ppc64le",
"product_id": "nodejs24-docs-24.13.0-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.13.0-2.1.ppc64le",
"product": {
"name": "npm24-24.13.0-2.1.ppc64le",
"product_id": "npm24-24.13.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.13.0-2.1.s390x",
"product": {
"name": "corepack24-24.13.0-2.1.s390x",
"product_id": "corepack24-24.13.0-2.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.13.0-2.1.s390x",
"product": {
"name": "nodejs24-24.13.0-2.1.s390x",
"product_id": "nodejs24-24.13.0-2.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.13.0-2.1.s390x",
"product": {
"name": "nodejs24-devel-24.13.0-2.1.s390x",
"product_id": "nodejs24-devel-24.13.0-2.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.13.0-2.1.s390x",
"product": {
"name": "nodejs24-docs-24.13.0-2.1.s390x",
"product_id": "nodejs24-docs-24.13.0-2.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.13.0-2.1.s390x",
"product": {
"name": "npm24-24.13.0-2.1.s390x",
"product_id": "npm24-24.13.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.13.0-2.1.x86_64",
"product": {
"name": "corepack24-24.13.0-2.1.x86_64",
"product_id": "corepack24-24.13.0-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.13.0-2.1.x86_64",
"product": {
"name": "nodejs24-24.13.0-2.1.x86_64",
"product_id": "nodejs24-24.13.0-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.13.0-2.1.x86_64",
"product": {
"name": "nodejs24-devel-24.13.0-2.1.x86_64",
"product_id": "nodejs24-devel-24.13.0-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-docs-24.13.0-2.1.x86_64",
"product": {
"name": "nodejs24-docs-24.13.0-2.1.x86_64",
"product_id": "nodejs24-docs-24.13.0-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.13.0-2.1.x86_64",
"product": {
"name": "npm24-24.13.0-2.1.x86_64",
"product_id": "npm24-24.13.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.13.0-2.1.aarch64"
},
"product_reference": "corepack24-24.13.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.13.0-2.1.ppc64le"
},
"product_reference": "corepack24-24.13.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.13.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.13.0-2.1.s390x"
},
"product_reference": "corepack24-24.13.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack24-24.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:corepack24-24.13.0-2.1.x86_64"
},
"product_reference": "corepack24-24.13.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.13.0-2.1.aarch64"
},
"product_reference": "nodejs24-24.13.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.13.0-2.1.ppc64le"
},
"product_reference": "nodejs24-24.13.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.13.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.13.0-2.1.s390x"
},
"product_reference": "nodejs24-24.13.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-24.13.0-2.1.x86_64"
},
"product_reference": "nodejs24-24.13.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.aarch64"
},
"product_reference": "nodejs24-devel-24.13.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.13.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.13.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.s390x"
},
"product_reference": "nodejs24-devel-24.13.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.x86_64"
},
"product_reference": "nodejs24-devel-24.13.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.aarch64"
},
"product_reference": "nodejs24-docs-24.13.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.ppc64le"
},
"product_reference": "nodejs24-docs-24.13.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.13.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.s390x"
},
"product_reference": "nodejs24-docs-24.13.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.x86_64"
},
"product_reference": "nodejs24-docs-24.13.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.13.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.13.0-2.1.aarch64"
},
"product_reference": "npm24-24.13.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.13.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.13.0-2.1.ppc64le"
},
"product_reference": "npm24-24.13.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.13.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.13.0-2.1.s390x"
},
"product_reference": "npm24-24.13.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.13.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:npm24-24.13.0-2.1.x86_64"
},
"product_reference": "npm24-24.13.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-22036",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-22036"
}
],
"notes": [
{
"category": "general",
"text": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-22036",
"url": "https://www.suse.com/security/cve/CVE-2026-22036"
},
{
"category": "external",
"summary": "SUSE Bug 1256843 for CVE-2026-22036",
"url": "https://bugzilla.suse.com/1256843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:corepack24-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-devel-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:nodejs24-docs-24.13.0-2.1.x86_64",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.aarch64",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.ppc64le",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.s390x",
"openSUSE Tumbleweed:npm24-24.13.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-21T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-22036"
}
]
}
OPENSUSE-SU-2026:20236-1
Vulnerability from csaf_opensuse - Published: 2026-02-15 09:26 - Updated: 2026-02-15 09:26Summary
Security update for nodejs22
Severity
Important
Notes
Title of the patch: Security update for nodejs22
Description of the patch: This update for nodejs22 fixes the following issues:
Update to 22.22.0:
- CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).
- CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).
- CVE-2025-55132: a file's access and modification timestamps can be changed via `futimes()` even when the process has only read permissions (bsc#1256571).
- CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).
- CVE-2025-59466: uncatchable "Maximum call stack size exceeded" error when `async_hooks.createHook()` is enabled can lead to crash (bsc#1256574).
- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
- CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).
For full changelog, please see https://nodejs.org/en/blog
Patchnames: openSUSE-Leap-16.0-287
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
30 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://bugzilla.suse.com/1256569 | self |
| https://bugzilla.suse.com/1256570 | self |
| https://bugzilla.suse.com/1256571 | self |
| https://bugzilla.suse.com/1256573 | self |
| https://bugzilla.suse.com/1256574 | self |
| https://bugzilla.suse.com/1256576 | self |
| https://bugzilla.suse.com/1256848 | self |
| https://www.suse.com/security/cve/CVE-2025-55130/ | self |
| https://www.suse.com/security/cve/CVE-2025-55131/ | self |
| https://www.suse.com/security/cve/CVE-2025-55132/ | self |
| https://www.suse.com/security/cve/CVE-2025-59465/ | self |
| https://www.suse.com/security/cve/CVE-2025-59466/ | self |
| https://www.suse.com/security/cve/CVE-2026-21637/ | self |
| https://www.suse.com/security/cve/CVE-2026-22036/ | self |
| https://www.suse.com/security/cve/CVE-2025-55130 | external |
| https://bugzilla.suse.com/1256569 | external |
| https://www.suse.com/security/cve/CVE-2025-55131 | external |
| https://bugzilla.suse.com/1256570 | external |
| https://www.suse.com/security/cve/CVE-2025-55132 | external |
| https://bugzilla.suse.com/1256571 | external |
| https://www.suse.com/security/cve/CVE-2025-59465 | external |
| https://bugzilla.suse.com/1256573 | external |
| https://www.suse.com/security/cve/CVE-2025-59466 | external |
| https://bugzilla.suse.com/1256574 | external |
| https://www.suse.com/security/cve/CVE-2026-21637 | external |
| https://bugzilla.suse.com/1256576 | external |
| https://www.suse.com/security/cve/CVE-2026-22036 | external |
| https://bugzilla.suse.com/1256843 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs22",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs22 fixes the following issues:\n\nUpdate to 22.22.0:\n\n- CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).\n- CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).\n- CVE-2025-55132: a file\u0027s access and modification timestamps can be changed via `futimes()` even when the process has only read permissions (bsc#1256571).\n- CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).\n- CVE-2025-59466: uncatchable \"Maximum call stack size exceeded\" error when `async_hooks.createHook()` is enabled can lead to crash (bsc#1256574).\n- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).\n- CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).\n\nFor full changelog, please see https://nodejs.org/en/blog\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-287",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20236-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1256569",
"url": "https://bugzilla.suse.com/1256569"
},
{
"category": "self",
"summary": "SUSE Bug 1256570",
"url": "https://bugzilla.suse.com/1256570"
},
{
"category": "self",
"summary": "SUSE Bug 1256571",
"url": "https://bugzilla.suse.com/1256571"
},
{
"category": "self",
"summary": "SUSE Bug 1256573",
"url": "https://bugzilla.suse.com/1256573"
},
{
"category": "self",
"summary": "SUSE Bug 1256574",
"url": "https://bugzilla.suse.com/1256574"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1256848",
"url": "https://bugzilla.suse.com/1256848"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55130 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55130/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55131 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55131/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55132 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55132/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59465 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59465/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59466 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59466/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-22036 page",
"url": "https://www.suse.com/security/cve/CVE-2026-22036/"
}
],
"title": "Security update for nodejs22",
"tracking": {
"current_release_date": "2026-02-15T09:26:17Z",
"generator": {
"date": "2026-02-15T09:26:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20236-1",
"initial_release_date": "2026-02-15T09:26:17Z",
"revision_history": [
{
"date": "2026-02-15T09:26:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-160000.1.1.aarch64",
"product": {
"name": "corepack22-22.22.0-160000.1.1.aarch64",
"product_id": "corepack22-22.22.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-160000.1.1.aarch64",
"product": {
"name": "nodejs22-22.22.0-160000.1.1.aarch64",
"product_id": "nodejs22-22.22.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-160000.1.1.aarch64",
"product": {
"name": "nodejs22-devel-22.22.0-160000.1.1.aarch64",
"product_id": "nodejs22-devel-22.22.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-160000.1.1.aarch64",
"product": {
"name": "npm22-22.22.0-160000.1.1.aarch64",
"product_id": "npm22-22.22.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-docs-22.22.0-160000.1.1.noarch",
"product": {
"name": "nodejs22-docs-22.22.0-160000.1.1.noarch",
"product_id": "nodejs22-docs-22.22.0-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-160000.1.1.ppc64le",
"product": {
"name": "corepack22-22.22.0-160000.1.1.ppc64le",
"product_id": "corepack22-22.22.0-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-160000.1.1.ppc64le",
"product": {
"name": "nodejs22-22.22.0-160000.1.1.ppc64le",
"product_id": "nodejs22-22.22.0-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"product": {
"name": "nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"product_id": "nodejs22-devel-22.22.0-160000.1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-160000.1.1.ppc64le",
"product": {
"name": "npm22-22.22.0-160000.1.1.ppc64le",
"product_id": "npm22-22.22.0-160000.1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-160000.1.1.s390x",
"product": {
"name": "corepack22-22.22.0-160000.1.1.s390x",
"product_id": "corepack22-22.22.0-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-160000.1.1.s390x",
"product": {
"name": "nodejs22-22.22.0-160000.1.1.s390x",
"product_id": "nodejs22-22.22.0-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-160000.1.1.s390x",
"product": {
"name": "nodejs22-devel-22.22.0-160000.1.1.s390x",
"product_id": "nodejs22-devel-22.22.0-160000.1.1.s390x"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-160000.1.1.s390x",
"product": {
"name": "npm22-22.22.0-160000.1.1.s390x",
"product_id": "npm22-22.22.0-160000.1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-160000.1.1.x86_64",
"product": {
"name": "corepack22-22.22.0-160000.1.1.x86_64",
"product_id": "corepack22-22.22.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-160000.1.1.x86_64",
"product": {
"name": "nodejs22-22.22.0-160000.1.1.x86_64",
"product_id": "nodejs22-22.22.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-160000.1.1.x86_64",
"product": {
"name": "nodejs22-devel-22.22.0-160000.1.1.x86_64",
"product_id": "nodejs22-devel-22.22.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-160000.1.1.x86_64",
"product": {
"name": "npm22-22.22.0-160000.1.1.x86_64",
"product_id": "npm22-22.22.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64"
},
"product_reference": "corepack22-22.22.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le"
},
"product_reference": "corepack22-22.22.0-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x"
},
"product_reference": "corepack22-22.22.0-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64"
},
"product_reference": "corepack22-22.22.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64"
},
"product_reference": "nodejs22-22.22.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le"
},
"product_reference": "nodejs22-22.22.0-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x"
},
"product_reference": "nodejs22-22.22.0-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64"
},
"product_reference": "nodejs22-22.22.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64"
},
"product_reference": "nodejs22-devel-22.22.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le"
},
"product_reference": "nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x"
},
"product_reference": "nodejs22-devel-22.22.0-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64"
},
"product_reference": "nodejs22-devel-22.22.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch"
},
"product_reference": "nodejs22-docs-22.22.0-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64"
},
"product_reference": "npm22-22.22.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-160000.1.1.ppc64le as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le"
},
"product_reference": "npm22-22.22.0-160000.1.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-160000.1.1.s390x as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x"
},
"product_reference": "npm22-22.22.0-160000.1.1.s390x",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
},
"product_reference": "npm22-22.22.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55130"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55130",
"url": "https://www.suse.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "SUSE Bug 1256569 for CVE-2025-55130",
"url": "https://bugzilla.suse.com/1256569"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "important"
}
],
"title": "CVE-2025-55130"
},
{
"cve": "CVE-2025-55131",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55131"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55131",
"url": "https://www.suse.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "SUSE Bug 1256570 for CVE-2025-55131",
"url": "https://bugzilla.suse.com/1256570"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "important"
}
],
"title": "CVE-2025-55131"
},
{
"cve": "CVE-2025-55132",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55132"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s permission model allows a file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55132",
"url": "https://www.suse.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "SUSE Bug 1256571 for CVE-2025-55132",
"url": "https://bugzilla.suse.com/1256571"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "low"
}
],
"title": "CVE-2025-55132"
},
{
"cve": "CVE-2025-59465",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59465"
}
],
"notes": [
{
"category": "general",
"text": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n socket.on(\u0027error\u0027, err =\u003e {\n console.log(err)\n })\n})\n```",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59465",
"url": "https://www.suse.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "SUSE Bug 1256573 for CVE-2025-59465",
"url": "https://bugzilla.suse.com/1256573"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "important"
}
],
"title": "CVE-2025-59465"
},
{
"cve": "CVE-2025-59466",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59466"
}
],
"notes": [
{
"category": "general",
"text": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59466",
"url": "https://www.suse.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "SUSE Bug 1256574 for CVE-2025-59466",
"url": "https://bugzilla.suse.com/1256574"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "moderate"
}
],
"title": "CVE-2025-59466"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-22036",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-22036"
}
],
"notes": [
{
"category": "general",
"text": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-22036",
"url": "https://www.suse.com/security/cve/CVE-2026-22036"
},
{
"category": "external",
"summary": "SUSE Bug 1256843 for CVE-2026-22036",
"url": "https://bugzilla.suse.com/1256843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:corepack22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:nodejs22-devel-22.22.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:nodejs22-docs-22.22.0-160000.1.1.noarch",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.ppc64le",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.s390x",
"openSUSE Leap 16.0:npm22-22.22.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-15T09:26:17Z",
"details": "moderate"
}
],
"title": "CVE-2026-22036"
}
]
}
RHSA-2026:24841
Vulnerability from csaf_redhat - Published: 2026-06-09 14:38 - Updated: 2026-06-09 19:11Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.10.0 release.
Severity
Moderate
Notes
Topic: Red Hat Developer Hub 1.10.0 has been released.
Details: Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in path-to-regexp. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. The issue arises when multiple wildcards are used with parameters in a way that creates a vulnerable regular expression, leading to excessive processing time and system unresponsiveness.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in Undici, an HTTP/1.1 client for Node.js. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP response with an unbounded number of links in the decompression chain. This could lead to high CPU usage and excessive memory allocation, resulting in a Denial of Service (DoS) for the affected system.
CWE-770 - Allocation of Resources Without Limits or ThrottlingAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Low
A flaw was found in Underscore.js, a JavaScript utility library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) attack by providing specially crafted recursive data structures. When these structures are processed by the _.flatten or _.isEqual functions, which lack a depth limit for recursion, a stack overflow occurs. This can make the application unavailable to legitimate users.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in yauzl (Yet Another Unzip Library), a component used in Node.js applications for handling zip files. A remote attacker can exploit an error in how the library processes specific timestamp information within a crafted zip file. This can lead to a denial of service (DoS), causing affected applications to crash and become unavailable.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Moderate
An allowlist bypass flaw has been discovered in the npm @backstage/plugin-auth-backend package. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by providing specially crafted XML input to an application using the affected library. The DocTypeReader component incorrectly processes configuration limits for entity counts and sizes when these limits are explicitly set to zero, bypassing intended restrictions. This oversight allows for unbounded entity expansion, consuming excessive memory and leading to a Denial of Service (DoS) condition, which makes the application unavailable to legitimate users.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 | — |
Workaround
|
Threats
Impact
Moderate
References
62 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:24841 | self |
| https://access.redhat.com/security/cve/CVE-2026-22036 | external |
| https://access.redhat.com/security/cve/CVE-2026-27601 | external |
| https://access.redhat.com/security/cve/CVE-2026-2950 | external |
| https://access.redhat.com/security/cve/CVE-2026-31988 | external |
| https://access.redhat.com/security/cve/CVE-2026-32235 | external |
| https://access.redhat.com/security/cve/CVE-2026-33349 | external |
| https://access.redhat.com/security/cve/CVE-2026-4923 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://catalog.redhat.com/search?gs&searchType=c… | external |
| https://developers.redhat.com/rhdh/overview | external |
| https://docs.redhat.com/en/documentation/red_hat_… | external |
| https://issues.redhat.com/browse/RHDHBUGS-2870 | external |
| https://issues.redhat.com/browse/RHDHBUGS-2962 | external |
| https://issues.redhat.com/browse/RHDHBUGS-2964 | external |
| https://issues.redhat.com/browse/RHDHBUGS-2965 | external |
| https://issues.redhat.com/browse/RHDHBUGS-2966 | external |
| https://issues.redhat.com/browse/RHDHBUGS-2971 | external |
| https://issues.redhat.com/browse/RHDHBUGS-2974 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2026-2950 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2453499 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-2950 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-2950 | external |
| https://github.com/lodash/lodash/security/advisor… | external |
| https://access.redhat.com/security/cve/CVE-2026-4923 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2451860 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-4923 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-4923 | external |
| https://cna.openjsf.org/security-advisories.html | external |
| https://access.redhat.com/security/cve/CVE-2026-22036 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2429741 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-22036 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-22036 | external |
| https://github.com/nodejs/undici/commit/b04e3cbb5… | external |
| https://github.com/nodejs/undici/security/advisor… | external |
| https://access.redhat.com/security/cve/CVE-2026-27601 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2444247 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-27601 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-27601 | external |
| https://github.com/jashkenas/underscore/commit/41… | external |
| https://github.com/jashkenas/underscore/commit/a6… | external |
| https://github.com/jashkenas/underscore/security/… | external |
| https://access.redhat.com/security/cve/CVE-2026-31988 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2446882 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-31988 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-31988 | external |
| https://github.com/thejoshwolfe/yauzl/commit/c469… | external |
| https://www.codeant.ai/security-research/yauzl-de… | external |
| https://www.npmjs.com/package/yauzl | external |
| https://www.vulncheck.com/advisories/yauzl-denial… | external |
| https://access.redhat.com/security/cve/CVE-2026-32235 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2447075 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-32235 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-32235 | external |
| https://github.com/backstage/backstage/security/a… | external |
| https://access.redhat.com/security/cve/CVE-2026-33349 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2450909 | external |
| https://www.cve.org/CVERecord?id=CVE-2026-33349 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2026-33349 | external |
| https://github.com/NaturalIntelligence/fast-xml-p… | external |
| https://github.com/NaturalIntelligence/fast-xml-p… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.10.0 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:24841",
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-22036",
"url": "https://access.redhat.com/security/cve/CVE-2026-22036"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27601",
"url": "https://access.redhat.com/security/cve/CVE-2026-27601"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-2950",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-31988",
"url": "https://access.redhat.com/security/cve/CVE-2026-31988"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32235",
"url": "https://access.redhat.com/security/cve/CVE-2026-32235"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33349",
"url": "https://access.redhat.com/security/cve/CVE-2026-33349"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-4923",
"url": "https://access.redhat.com/security/cve/CVE-2026-4923"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2870",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2870"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2962",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2962"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2964",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2964"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2965",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2965"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2966",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2966"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2971",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2971"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHBUGS-2974",
"url": "https://issues.redhat.com/browse/RHDHBUGS-2974"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_24841.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.10.0 release.",
"tracking": {
"current_release_date": "2026-06-09T19:11:29+00:00",
"generator": {
"date": "2026-06-09T19:11:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2026:24841",
"initial_release_date": "2026-06-09T14:38:34+00:00",
"revision_history": [
{
"date": "2026-06-09T14:38:34+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-09T14:38:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-09T19:11:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.10",
"product": {
"name": "Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.10::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Ab99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1780930740"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3Ac290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1779927546"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3Ab04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1780961472"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64 as a component of Red Hat Developer Hub 1.10",
"product_id": "Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.10"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-2950",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-03-31T20:01:38.424064+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453499"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-2950"
},
{
"category": "external",
"summary": "RHBZ#2453499",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453499"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
}
],
"release_date": "2026-03-31T19:18:35.796000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass"
},
{
"cve": "CVE-2026-4923",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2026-03-26T20:02:52.199458+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451860"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in path-to-regexp. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. The issue arises when multiple wildcards are used with parameters in a way that creates a vulnerable regular expression, leading to excessive processing time and system unresponsiveness.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcards",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4923"
},
{
"category": "external",
"summary": "RHBZ#2451860",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451860"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4923",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4923"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"release_date": "2026-03-26T19:02:00.729000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "path-to-regexp: path-to-regexp: Denial of Service via specially crafted paths with multiple wildcards"
},
{
"cve": "CVE-2026-22036",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-14T20:01:00.899462+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2429741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undici, an HTTP/1.1 client for Node.js. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP response with an unbounded number of links in the decompression chain. This could lead to high CPU usage and excessive memory allocation, resulting in a Denial of Service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: Undici: Denial of Service via excessive decompression steps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low for Red Hat products. The flaw in Undici, an HTTP/1.1 client for Node.js, allows a remote malicious server to trigger a Denial of Service by sending a specially crafted HTTP response with excessive decompression steps. This can lead to high CPU usage and memory allocation on the client system. Red Hat products utilizing Undici that connect to untrusted external HTTP servers are potentially affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-22036"
},
{
"category": "external",
"summary": "RHBZ#2429741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3",
"url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9"
}
],
"release_date": "2026-01-14T19:07:13.745000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "undici: Undici: Denial of Service via excessive decompression steps"
},
{
"cve": "CVE-2026-27601",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2026-03-03T23:01:58.011378+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2444247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Underscore.js, a JavaScript utility library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) attack by providing specially crafted recursive data structures. When these structures are processed by the _.flatten or _.isEqual functions, which lack a depth limit for recursion, a stack overflow occurs. This can make the application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27601"
},
{
"category": "external",
"summary": "RHBZ#2444247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27601",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27601"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"category": "external",
"summary": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4",
"url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"
},
{
"category": "external",
"summary": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84",
"url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"
},
{
"category": "external",
"summary": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw",
"url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"
}
],
"release_date": "2026-03-03T22:38:38.955000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "To mitigate this issue, applications utilizing Underscore.js should ensure that any processing of untrusted, recursively structured data with `_.flatten` or `_.isEqual` explicitly enforces a finite depth limit. Review application code to identify and modify calls to these functions, adding appropriate depth parameters to prevent stack overflow conditions. Additionally, input validation should be implemented to sanitize untrusted data before it is processed by Underscore.js functions.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions"
},
{
"cve": "CVE-2026-31988",
"cwe": {
"id": "CWE-193",
"name": "Off-by-one Error"
},
"discovery_date": "2026-03-12T00:01:15.619385+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2446882"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in yauzl (Yet Another Unzip Library), a component used in Node.js applications for handling zip files. A remote attacker can exploit an error in how the library processes specific timestamp information within a crafted zip file. This can lead to a denial of service (DoS), causing affected applications to crash and become unavailable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "yauzl: yauzl: Denial of Service vulnerability in zip file processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate: This flaw in yauzl can lead to a denial of service in Node.js applications that process zip file uploads and specifically call `entry.getLastModDate()` on parsed entries. Red Hat products that utilize the affected `yauzl` library in this manner are susceptible to a process crash when handling a specially crafted zip file containing a malformed NTFS extra field.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-31988"
},
{
"category": "external",
"summary": "RHBZ#2446882",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446882"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-31988",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31988"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-31988",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31988"
},
{
"category": "external",
"summary": "https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe",
"url": "https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a85429b33fe"
},
{
"category": "external",
"summary": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash",
"url": "https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash"
},
{
"category": "external",
"summary": "https://www.npmjs.com/package/yauzl",
"url": "https://www.npmjs.com/package/yauzl"
},
{
"category": "external",
"summary": "https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser",
"url": "https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-error-in-ntfs-timestamp-parser"
}
],
"release_date": "2026-03-11T22:58:48.863000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "yauzl: yauzl: Denial of Service vulnerability in zip file processing"
},
{
"cve": "CVE-2026-32235",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-03-12T19:01:05.406839+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2447075"
}
],
"notes": [
{
"category": "description",
"text": "An allowlist bypass flaw has been discovered in the npm @backstage/plugin-auth-backend package. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "@backstage/plugin-auth-backend: @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32235"
},
{
"category": "external",
"summary": "RHBZ#2447075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32235",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32235"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32235",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32235"
},
{
"category": "external",
"summary": "https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-wqvh-63mv-9w92"
}
],
"release_date": "2026-03-12T18:35:06.325000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "@backstage/plugin-auth-backend: @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass"
},
{
"cve": "CVE-2026-33349",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-03-24T20:02:32.870828+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450909"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by providing specially crafted XML input to an application using the affected library. The DocTypeReader component incorrectly processes configuration limits for entity counts and sizes when these limits are explicitly set to zero, bypassing intended restrictions. This oversight allows for unbounded entity expansion, consuming excessive memory and leading to a Denial of Service (DoS) condition, which makes the application unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33349"
},
{
"category": "external",
"summary": "RHBZ#2450909",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450909"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33349",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33349"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33349",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33349"
},
{
"category": "external",
"summary": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7"
},
{
"category": "external",
"summary": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g"
}
],
"release_date": "2026-03-24T19:35:47.908000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-09T14:38:34+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:24841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64",
"Red Hat Developer Hub 1.10:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling"
}
]
}
SUSE-SU-2026:0295-1
Vulnerability from csaf_suse - Published: 2026-01-26 13:19 - Updated: 2026-01-26 13:19Summary
Security update for nodejs22
Severity
Important
Notes
Title of the patch: Security update for nodejs22
Description of the patch: This update for nodejs22 fixes the following issues:
Security fixes:
- CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading
to resource exhaustion (bsc#1256848)
- CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass
TLS error handling and causing denial of service (bsc#1256576)
- CVE-2025-55132: Fixed futimes() ability to acces file even if process has read
permissions only (bsc#1256571)
- CVE-2025-55131: Fixed race condition that allowed allocations with leftover data
leading to in-process secrets exposure (bsc#1256570)
- CVE-2025-55130: Fixed filesystem permissions bypass via crafted symlinks (bsc#1256569)
- CVE-2025-59465: Fixed malformed HTTP/2 HEADERS frame with invalid HPACK leading
to crash (bsc#1256573)
- CVE-2025-59466: Fixed uncatchable 'Maximum call stack size exceeded' error
leading to crash (bsc#1256574)
Other fixes:
- Update to 22.22.0:
* deps: updated undici to 6.23.0
* deps: updated bundled c-ares to 1.34.6 (if used)
* add TLSSocket default error handler
* disable futimes when permission model is enabled
* require full read and write to symlink APIs
* rethrow stack overflow exceptions in async_hooks
* refactor unsafe buffer creation to remove zero-fill toggle
* route callback exceptions through error handlers
- Update to 22.21.1:
* src: avoid unnecessary string -> char* -> string round trips
* src: remove unnecessary shadowed functions on Utf8Value & BufferValue
* process: fix hrtime fast call signatures
* http: improve writeEarlyHints by avoiding for-of loop
- Update to 22.21.0:
* cli: add --use-env-proxy
* http: support http proxy for fetch under NODE_USE_ENV_PROXY
* http: add shouldUpgradeCallback to let servers control HTTP upgrades
* http,https: add built-in proxy support in http/https.request and Agent
* src: add percentage support to --max-old-space-size
- Update to 22.20.0
* doc: stabilize --disable-sigusr1
* doc: mark path.matchesGlob as stable
* http: add Agent.agentKeepAliveTimeoutBuffer option
* http2: add support for raw header arrays in h2Stream.respond()
* inspector: add http2 tracking support
* sea: implement execArgvExtension
* sea: support execArgv in sea config
* stream: add brotli support to CompressionStream and DecompressionStream
* test_runner: support object property mocking
* worker: add cpu profile APIs for worker
- Update to 22.19.0
* cli: add NODE_USE_SYSTEM_CA=1
* cli: support ${pid} placeholder in --cpu-prof-name
* crypto: add tls.setDefaultCACertificates()
* dns: support max timeout
* doc: update the instruction on how to verify releases
* esm: unflag --experimental-wasm-modules
* http: add server.keepAliveTimeoutBuffer option
* lib: docs deprecate _http_*
* net: update net.blocklist to allow file save and file management
* process: add threadCpuUsage
* zlib: add dictionary support to zstdCompress and zstdDecompress
- Update to 22.18.0:
* deps: update amaro to 1.1.0
* doc: add all watch-mode related flags to node.1
* doc: add islandryu to collaborators
* esm: implement import.meta.main
* fs: allow correct handling of burst in fs-events with AsyncIterator
* permission: propagate permission model flags on spawn
* sqlite: add support for readBigInts option in db connection level
* src,permission: add support to permission.has(addon)
* url: add fileURLToPathBuffer API
* watch: add --watch-kill-signal flag
* worker: make Worker async disposable
Patchnames: SUSE-2026-295,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-295,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-295,openSUSE-SLE-15.6-2026-295
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.9 (Medium)
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
37 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
32 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/s… | self |
| https://www.suse.com/support/update/announcement/… | self |
| https://lists.suse.com/pipermail/sle-security-upd… | self |
| https://bugzilla.suse.com/1256569 | self |
| https://bugzilla.suse.com/1256570 | self |
| https://bugzilla.suse.com/1256571 | self |
| https://bugzilla.suse.com/1256573 | self |
| https://bugzilla.suse.com/1256574 | self |
| https://bugzilla.suse.com/1256576 | self |
| https://bugzilla.suse.com/1256848 | self |
| https://www.suse.com/security/cve/CVE-2025-55130/ | self |
| https://www.suse.com/security/cve/CVE-2025-55131/ | self |
| https://www.suse.com/security/cve/CVE-2025-55132/ | self |
| https://www.suse.com/security/cve/CVE-2025-59465/ | self |
| https://www.suse.com/security/cve/CVE-2025-59466/ | self |
| https://www.suse.com/security/cve/CVE-2026-21637/ | self |
| https://www.suse.com/security/cve/CVE-2026-22036/ | self |
| https://www.suse.com/security/cve/CVE-2025-55130 | external |
| https://bugzilla.suse.com/1256569 | external |
| https://www.suse.com/security/cve/CVE-2025-55131 | external |
| https://bugzilla.suse.com/1256570 | external |
| https://www.suse.com/security/cve/CVE-2025-55132 | external |
| https://bugzilla.suse.com/1256571 | external |
| https://www.suse.com/security/cve/CVE-2025-59465 | external |
| https://bugzilla.suse.com/1256573 | external |
| https://www.suse.com/security/cve/CVE-2025-59466 | external |
| https://bugzilla.suse.com/1256574 | external |
| https://www.suse.com/security/cve/CVE-2026-21637 | external |
| https://bugzilla.suse.com/1256576 | external |
| https://www.suse.com/security/cve/CVE-2026-22036 | external |
| https://bugzilla.suse.com/1256843 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs22",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs22 fixes the following issues:\n\nSecurity fixes:\n\n- CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading \n to resource exhaustion (bsc#1256848)\n- CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass \n TLS error handling and causing denial of service (bsc#1256576)\n- CVE-2025-55132: Fixed futimes() ability to acces file even if process has read \n permissions only (bsc#1256571)\n- CVE-2025-55131: Fixed race condition that allowed allocations with leftover data \n leading to in-process secrets exposure (bsc#1256570)\n- CVE-2025-55130: Fixed filesystem permissions bypass via crafted symlinks (bsc#1256569)\n- CVE-2025-59465: Fixed malformed HTTP/2 HEADERS frame with invalid HPACK leading \n to crash (bsc#1256573)\n- CVE-2025-59466: Fixed uncatchable \u0027Maximum call stack size exceeded\u0027 error \n leading to crash (bsc#1256574)\n\nOther fixes:\n\n- Update to 22.22.0:\n * deps: updated undici to 6.23.0\n * deps: updated bundled c-ares to 1.34.6 (if used)\n * add TLSSocket default error handler\n * disable futimes when permission model is enabled\n * require full read and write to symlink APIs\n * rethrow stack overflow exceptions in async_hooks\n * refactor unsafe buffer creation to remove zero-fill toggle\n * route callback exceptions through error handlers\n\n- Update to 22.21.1:\n * src: avoid unnecessary string -\u003e char* -\u003e string round trips\n * src: remove unnecessary shadowed functions on Utf8Value \u0026 BufferValue\n * process: fix hrtime fast call signatures\n * http: improve writeEarlyHints by avoiding for-of loop\n \n- Update to 22.21.0:\n * cli: add --use-env-proxy\n * http: support http proxy for fetch under NODE_USE_ENV_PROXY\n * http: add shouldUpgradeCallback to let servers control HTTP upgrades\n * http,https: add built-in proxy support in http/https.request and Agent\n * src: add percentage support to --max-old-space-size\n\n- Update to 22.20.0\n * doc: stabilize --disable-sigusr1\n * doc: mark path.matchesGlob as stable\n * http: add Agent.agentKeepAliveTimeoutBuffer option\n * http2: add support for raw header arrays in h2Stream.respond()\n * inspector: add http2 tracking support\n * sea: implement execArgvExtension\n * sea: support execArgv in sea config\n * stream: add brotli support to CompressionStream and DecompressionStream\n * test_runner: support object property mocking\n * worker: add cpu profile APIs for worker\n \n- Update to 22.19.0\n * cli: add NODE_USE_SYSTEM_CA=1\n * cli: support ${pid} placeholder in --cpu-prof-name\n * crypto: add tls.setDefaultCACertificates()\n * dns: support max timeout\n * doc: update the instruction on how to verify releases\n * esm: unflag --experimental-wasm-modules\n * http: add server.keepAliveTimeoutBuffer option\n * lib: docs deprecate _http_*\n * net: update net.blocklist to allow file save and file management\n * process: add threadCpuUsage\n * zlib: add dictionary support to zstdCompress and zstdDecompress\n \n- Update to 22.18.0:\n * deps: update amaro to 1.1.0\n * doc: add all watch-mode related flags to node.1\n * doc: add islandryu to collaborators\n * esm: implement import.meta.main\n * fs: allow correct handling of burst in fs-events with AsyncIterator\n * permission: propagate permission model flags on spawn\n * sqlite: add support for readBigInts option in db connection level\n * src,permission: add support to permission.has(addon)\n * url: add fileURLToPathBuffer API\n * watch: add --watch-kill-signal flag\n * worker: make Worker async disposable\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-295,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-295,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-295,openSUSE-SLE-15.6-2026-295",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0295-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0295-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260295-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0295-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023921.html"
},
{
"category": "self",
"summary": "SUSE Bug 1256569",
"url": "https://bugzilla.suse.com/1256569"
},
{
"category": "self",
"summary": "SUSE Bug 1256570",
"url": "https://bugzilla.suse.com/1256570"
},
{
"category": "self",
"summary": "SUSE Bug 1256571",
"url": "https://bugzilla.suse.com/1256571"
},
{
"category": "self",
"summary": "SUSE Bug 1256573",
"url": "https://bugzilla.suse.com/1256573"
},
{
"category": "self",
"summary": "SUSE Bug 1256574",
"url": "https://bugzilla.suse.com/1256574"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1256848",
"url": "https://bugzilla.suse.com/1256848"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55130 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55130/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55131 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55131/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-55132 page",
"url": "https://www.suse.com/security/cve/CVE-2025-55132/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59465 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59465/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59466 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59466/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-22036 page",
"url": "https://www.suse.com/security/cve/CVE-2026-22036/"
}
],
"title": "Security update for nodejs22",
"tracking": {
"current_release_date": "2026-01-26T13:19:01Z",
"generator": {
"date": "2026-01-26T13:19:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0295-1",
"initial_release_date": "2026-01-26T13:19:01Z",
"revision_history": [
{
"date": "2026-01-26T13:19:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-150600.13.12.1.aarch64",
"product": {
"name": "corepack22-22.22.0-150600.13.12.1.aarch64",
"product_id": "corepack22-22.22.0-150600.13.12.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-150600.13.12.1.aarch64",
"product": {
"name": "nodejs22-22.22.0-150600.13.12.1.aarch64",
"product_id": "nodejs22-22.22.0-150600.13.12.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"product": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"product_id": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-150600.13.12.1.aarch64",
"product": {
"name": "npm22-22.22.0-150600.13.12.1.aarch64",
"product_id": "npm22-22.22.0-150600.13.12.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-150600.13.12.1.i586",
"product": {
"name": "corepack22-22.22.0-150600.13.12.1.i586",
"product_id": "corepack22-22.22.0-150600.13.12.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-150600.13.12.1.i586",
"product": {
"name": "nodejs22-22.22.0-150600.13.12.1.i586",
"product_id": "nodejs22-22.22.0-150600.13.12.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-150600.13.12.1.i586",
"product": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.i586",
"product_id": "nodejs22-devel-22.22.0-150600.13.12.1.i586"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-150600.13.12.1.i586",
"product": {
"name": "npm22-22.22.0-150600.13.12.1.i586",
"product_id": "npm22-22.22.0-150600.13.12.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"product": {
"name": "nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"product_id": "nodejs22-docs-22.22.0-150600.13.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-150600.13.12.1.ppc64le",
"product": {
"name": "corepack22-22.22.0-150600.13.12.1.ppc64le",
"product_id": "corepack22-22.22.0-150600.13.12.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-150600.13.12.1.ppc64le",
"product": {
"name": "nodejs22-22.22.0-150600.13.12.1.ppc64le",
"product_id": "nodejs22-22.22.0-150600.13.12.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"product": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"product_id": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-150600.13.12.1.ppc64le",
"product": {
"name": "npm22-22.22.0-150600.13.12.1.ppc64le",
"product_id": "npm22-22.22.0-150600.13.12.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-150600.13.12.1.s390x",
"product": {
"name": "corepack22-22.22.0-150600.13.12.1.s390x",
"product_id": "corepack22-22.22.0-150600.13.12.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-150600.13.12.1.s390x",
"product": {
"name": "nodejs22-22.22.0-150600.13.12.1.s390x",
"product_id": "nodejs22-22.22.0-150600.13.12.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"product": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"product_id": "nodejs22-devel-22.22.0-150600.13.12.1.s390x"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-150600.13.12.1.s390x",
"product": {
"name": "npm22-22.22.0-150600.13.12.1.s390x",
"product_id": "npm22-22.22.0-150600.13.12.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack22-22.22.0-150600.13.12.1.x86_64",
"product": {
"name": "corepack22-22.22.0-150600.13.12.1.x86_64",
"product_id": "corepack22-22.22.0-150600.13.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-22.22.0-150600.13.12.1.x86_64",
"product": {
"name": "nodejs22-22.22.0-150600.13.12.1.x86_64",
"product_id": "nodejs22-22.22.0-150600.13.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"product": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"product_id": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm22-22.22.0-150600.13.12.1.x86_64",
"product": {
"name": "npm22-22.22.0-150600.13.12.1.x86_64",
"product_id": "npm22-22.22.0-150600.13.12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.s390x as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.s390x as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-150600.13.12.1.noarch as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch"
},
"product_reference": "nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.s390x as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-150600.13.12.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch"
},
"product_reference": "nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-150600.13.12.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "corepack22-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-150600.13.12.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "corepack22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-150600.13.12.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "corepack22-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "corepack22-22.22.0-150600.13.12.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "corepack22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-22.22.0-150600.13.12.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "nodejs22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs22-docs-22.22.0-150600.13.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch"
},
"product_reference": "nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm22-22.22.0-150600.13.12.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
},
"product_reference": "npm22-22.22.0-150600.13.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-55130",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55130"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55130",
"url": "https://www.suse.com/security/cve/CVE-2025-55130"
},
{
"category": "external",
"summary": "SUSE Bug 1256569 for CVE-2025-55130",
"url": "https://bugzilla.suse.com/1256569"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "important"
}
],
"title": "CVE-2025-55130"
},
{
"cve": "CVE-2025-55131",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55131"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55131",
"url": "https://www.suse.com/security/cve/CVE-2025-55131"
},
{
"category": "external",
"summary": "SUSE Bug 1256570 for CVE-2025-55131",
"url": "https://bugzilla.suse.com/1256570"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "important"
}
],
"title": "CVE-2025-55131"
},
{
"cve": "CVE-2025-55132",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-55132"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js\u0027s permission model allows a file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-55132",
"url": "https://www.suse.com/security/cve/CVE-2025-55132"
},
{
"category": "external",
"summary": "SUSE Bug 1256571 for CVE-2025-55132",
"url": "https://bugzilla.suse.com/1256571"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "low"
}
],
"title": "CVE-2025-55132"
},
{
"cve": "CVE-2025-59465",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59465"
}
],
"notes": [
{
"category": "general",
"text": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n socket.on(\u0027error\u0027, err =\u003e {\n console.log(err)\n })\n})\n```",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59465",
"url": "https://www.suse.com/security/cve/CVE-2025-59465"
},
{
"category": "external",
"summary": "SUSE Bug 1256573 for CVE-2025-59465",
"url": "https://bugzilla.suse.com/1256573"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "important"
}
],
"title": "CVE-2025-59465"
},
{
"cve": "CVE-2025-59466",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59466"
}
],
"notes": [
{
"category": "general",
"text": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59466",
"url": "https://www.suse.com/security/cve/CVE-2025-59466"
},
{
"category": "external",
"summary": "SUSE Bug 1256574 for CVE-2025-59466",
"url": "https://bugzilla.suse.com/1256574"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "moderate"
}
],
"title": "CVE-2025-59466"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-22036",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-22036"
}
],
"notes": [
{
"category": "general",
"text": "Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-22036",
"url": "https://www.suse.com/security/cve/CVE-2026-22036"
},
{
"category": "external",
"summary": "SUSE Bug 1256843 for CVE-2026-22036",
"url": "https://bugzilla.suse.com/1256843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:npm22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:npm22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:corepack22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:nodejs22-devel-22.22.0-150600.13.12.1.x86_64",
"openSUSE Leap 15.6:nodejs22-docs-22.22.0-150600.13.12.1.noarch",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.aarch64",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.ppc64le",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.s390x",
"openSUSE Leap 15.6:npm22-22.22.0-150600.13.12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-26T13:19:01Z",
"details": "moderate"
}
],
"title": "CVE-2026-22036"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…