Bitnami package
node-min
pkg:bitnami/node-min
Vulnerabilities (107)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21717 | Med | 5.9 | < 20.20.2 | 20.20.2 | Mar 30, 2026 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo | |
| CVE-2026-21716 | Low | 3.3 | < 20.20.2 | 20.20.2 | Mar 30, 2026 | An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under ` | |
| CVE-2026-21715 | Low | 3.3 | < 20.20.2 | 20.20.2 | Mar 30, 2026 | A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs | |
| CVE-2026-21714 | Med | 5.3 | < 20.20.2 | 20.20.2 | Mar 30, 2026 | A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned | |
| CVE-2026-21713 | Med | 5.9 | < 20.20.2 | 20.20.2 | Mar 30, 2026 | A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl | |
| CVE-2026-21711 | Med | 5.3 | >= 25.0.0, < 25.8.2 | 25.8.2 | Mar 30, 2026 | A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can | |
| CVE-2026-21710 | Hig | 7.5 | < 20.20.2 | 20.20.2 | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-21712 | Med | 5.7 | >= 24.0.0, < 24.14.1 | 24.14.1 | Mar 30, 2026 | A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. | |
| CVE-2025-55131 | Hig | 7.1 | < 20.20.0 | 20.20.0 | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar | |
| CVE-2026-21636 | — | >= 25.0.0, < 25.3.0 | 25.3.0 | Jan 20, 2026 | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via n | ||
| CVE-2025-59466 | — | < 20.20.0 | 20.20.0 | Jan 20, 2026 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica | ||
| CVE-2025-55132 | — | >= 20.0.0, < 20.20.0 | 20.20.0 | Jan 20, 2026 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can | ||
| CVE-2025-59464 | — | >= 24.0.0, < 24.12.0 | 24.12.0 | Jan 20, 2026 | A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady | ||
| CVE-2025-55130 | — | >= 20.0.0, < 20.20.0 | 20.20.0 | Jan 20, 2026 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and | ||
| CVE-2026-21637 | — | < 20.20.0 | 20.20.0 | Jan 20, 2026 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca | ||
| CVE-2025-59465 | — | < 20.20.0 | 20.20.0 | Jan 20, 2026 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects | ||
| CVE-2025-27210 | Hig | 7.5 | >= 4.0.0, < 20.19.4 | 20.19.4 | Jul 18, 2025 | An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API. | |
| CVE-2025-27209 | Hig | 7.5 | >= 24.0.0, < 24.4.1 | 24.4.1 | Jul 18, 2025 | The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate coll | |
| CVE-2025-23167 | Med | 6.5 | < 20.19.2 | 20.19.2 | May 19, 2025 | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue | |
| CVE-2025-23166 | Hig | 7.5 | < 20.19.2 | 20.19.2 | May 19, 2025 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall |
- affected < 20.20.2fixed 20.20.2
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo
- affected < 20.20.2fixed 20.20.2
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `
- affected < 20.20.2fixed 20.20.2
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs
- affected < 20.20.2fixed 20.20.2
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned
- affected < 20.20.2fixed 20.20.2
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl
- affected >= 25.0.0, < 25.8.2fixed 25.8.2
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can
- affected < 20.20.2fixed 20.20.2
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected >= 24.0.0, < 24.14.1fixed 24.14.1
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
- affected < 20.20.0fixed 20.20.0
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
- CVE-2026-21636Jan 20, 2026affected >= 25.0.0, < 25.3.0fixed 25.3.0
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via n
- CVE-2025-59466Jan 20, 2026affected < 20.20.0fixed 20.20.0
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica
- CVE-2025-55132Jan 20, 2026affected >= 20.0.0, < 20.20.0fixed 20.20.0
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
- CVE-2025-59464Jan 20, 2026affected >= 24.0.0, < 24.12.0fixed 24.12.0
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady
- CVE-2025-55130Jan 20, 2026affected >= 20.0.0, < 20.20.0fixed 20.20.0
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
- CVE-2026-21637Jan 20, 2026affected < 20.20.0fixed 20.20.0
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
- CVE-2025-59465Jan 20, 2026affected < 20.20.0fixed 20.20.0
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
- affected >= 4.0.0, < 20.19.4fixed 20.19.4
An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.
- affected >= 24.0.0, < 24.4.1fixed 24.4.1
The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate coll
- affected < 20.19.2fixed 20.19.2
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue
- affected < 20.19.2fixed 20.19.2
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
Page 1 of 6