apk package
chainguard/nodejs-21
pkg:apk/chainguard/nodejs-21
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-23166 | Hig | 7.5 | < 21.7.3-r12 | 21.7.3-r12 | May 19, 2025 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall | |
| CVE-2025-23165 | Low | 3.7 | < 21.7.3-r12 | 21.7.3-r12 | May 19, 2025 | In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can | |
| CVE-2025-23085 | Med | 5.3 | < 21.7.3-r12 | 21.7.3-r12 | Feb 7, 2025 | A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc | |
| CVE-2025-23084 | — | < 21.7.3-r13 | 21.7.3-r13 | Jan 28, 2025 | A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to th | ||
| CVE-2025-23083 | Hig | 7.7 | < 21.7.3-r12 | 21.7.3-r12 | Jan 22, 2025 | With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for | |
| CVE-2024-37372 | Low | 3.6 | < 21.7.3-r8 | 21.7.3-r8 | Jan 9, 2025 | The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. | |
| CVE-2024-27980 | Hig | 8.1 | < 21.7.3-r0 | 21.7.3-r0 | Jan 9, 2025 | Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | |
| CVE-2024-36138 | Hig | 8.1 | < 21.7.3-r13 | 21.7.3-r13 | Sep 7, 2024 | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if | |
| CVE-2024-24806 | — | < 21.6.1-r1 | 21.6.1-r1 | Feb 7, 2024 | libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex |
- affected < 21.7.3-r12fixed 21.7.3-r12
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
- affected < 21.7.3-r12fixed 21.7.3-r12
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can
- affected < 21.7.3-r12fixed 21.7.3-r12
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc
- CVE-2025-23084Jan 28, 2025affected < 21.7.3-r13fixed 21.7.3-r13
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to th
- affected < 21.7.3-r12fixed 21.7.3-r12
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for
- affected < 21.7.3-r8fixed 21.7.3-r8
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
- affected < 21.7.3-r0fixed 21.7.3-r0
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
- affected < 21.7.3-r13fixed 21.7.3-r13
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if
- CVE-2024-24806Feb 7, 2024affected < 21.6.1-r1fixed 21.6.1-r1
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex