VYPR

apk package

chainguard/nodejs-20-doc

pkg:apk/chainguard/nodejs-20-doc

Vulnerabilities (31)

  • CVE-2025-55131HigJan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar

  • CVE-2026-21636Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via n

  • CVE-2025-59466Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica

  • CVE-2025-55132Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-59464Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady

  • CVE-2025-55130Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 20.20.0-r0fixed 20.20.0-r0

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

  • CVE-2025-23083HigJan 22, 2025
    affected < 20.18.2-r0fixed 20.18.2-r0

    With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for

  • CVE-2024-27980HigJan 9, 2025
    affected < 20.12.2-r0fixed 20.12.2-r0

    Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

  • CVE-2023-30587HigSep 7, 2024
    affected < 20.3.1-r0fixed 20.3.1-r0

    A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers

  • CVE-2023-30584HigSep 7, 2024
    affected < 20.3.1-r0fixed 20.3.1-r0

    A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission mod

  • CVE-2023-30583HigSep 7, 2024
    affected < 20.3.1-r0fixed 20.3.1-r0

    fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permi

  • CVE-2023-30582MedSep 7, 2024
    affected < 20.3.1-r0fixed 20.3.1-r0

    A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.wa

  • CVE-2024-7592Aug 19, 2024
    affected < 20.19.5-r0fixed 20.19.5-r0

    There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in

  • CVE-2024-6923MedAug 1, 2024
    affected < 20.19.5-r0fixed 20.19.5-r0

    There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

  • CVE-2024-24806Feb 7, 2024
    affected < 20.11.0-r1fixed 20.11.0-r1

    libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex

  • CVE-2023-30590Nov 28, 2023
    affected < 20.3.1-r0fixed 20.3.1-r0

    The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat

  • CVE-2023-30588Nov 28, 2023
    affected < 20.3.1-r0fixed 20.3.1-r0

    When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when acces

  • CVE-2023-30585Nov 28, 2023
    affected < 20.3.1-r0fixed 20.3.1-r0

    A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT

Page 1 of 2