VYPR

apk package

chainguard/nodejs-24

pkg:apk/chainguard/nodejs-24

Vulnerabilities (8)

  • CVE-2025-55131HigJan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar

  • CVE-2026-21636Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via n

  • CVE-2025-59466Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica

  • CVE-2025-55132Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-59464Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady

  • CVE-2025-55130Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 24.13.0-r0fixed 24.13.0-r0

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects