almalinux/nodejs-devel

Vulnerabilities (110)

• CVE-2025-55132Jan 20, 2026
  affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

  A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

• CVE-2025-55130Jan 20, 2026
  affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

  A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

• CVE-2026-21637Jan 20, 2026
  affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

  A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

• CVE-2025-59465Jan 20, 2026
  affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

  A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

• CVE-2025-6965CriJul 15, 2025
  affected < 1:22.16.0-2.module_el8.10.0+4028+97ddca84fixed 1:22.16.0-2.module_el8.10.0+4028+97ddca84

  There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

• CVE-2025-23166HigMay 19, 2025
  affected < 1:22.16.0-1.module_el9.6.0+170+f035de78fixed 1:22.16.0-1.module_el9.6.0+170+f035de78

  The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall

• CVE-2025-3277Apr 14, 2025
  affected < 1:22.15.0-1.module_el8.10.0+3986+a908e756fixed 1:22.15.0-1.module_el8.10.0+3986+a908e756

  An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of

• CVE-2025-31498HigApr 8, 2025
  affected < 1:22.15.0-1.module_el8.10.0+3986+a908e756fixed 1:22.15.0-1.module_el8.10.0+3986+a908e756

  c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri

• CVE-2025-23085MedFeb 7, 2025
  affected < 1:20.18.2-1.module_el8.10.0+3958+472a6467fixed 1:20.18.2-1.module_el8.10.0+3958+472a6467

  A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc

• CVE-2025-23083HigJan 22, 2025
  affected < 1:20.18.2-1.module_el8.10.0+3958+472a6467fixed 1:20.18.2-1.module_el8.10.0+3958+472a6467

  With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for

• CVE-2025-22150MedJan 21, 2025
  affected < 1:20.18.2-1.module_el8.10.0+3958+472a6467fixed 1:20.18.2-1.module_el8.10.0+3958+472a6467

  Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat

• CVE-2024-36137LowSep 7, 2024
  affected < 1:20.16.0-1.module_el8.10.0+3882+e12e42dbfixed 1:20.16.0-1.module_el8.10.0+3882+e12e42db

  A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" fi

• CVE-2023-46809HigSep 7, 2024
  affected < 1:18.19.1-1.module_el9.3.0+59+28b95644fixed 1:18.19.1-1.module_el9.3.0+59+28b95644

  Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp

• CVE-2023-39333MedSep 7, 2024
  affected < 1:18.18.2-2.module_el9.2.0+43+3ebc9e20fixed 1:18.18.2-2.module_el9.2.0+43+3ebc9e20

  Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.

• CVE-2024-22018LowJul 10, 2024
  affected < 1:20.16.0-1.module_el8.10.0+3882+e12e42dbfixed 1:20.16.0-1.module_el8.10.0+3882+e12e42db

  A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious acto

• CVE-2024-22020MedJul 9, 2024
  affected < 1:20.16.0-1.module_el8.10.0+3882+e12e42dbfixed 1:20.16.0-1.module_el8.10.0+3882+e12e42db

  A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs i

• CVE-2024-27982MedMay 7, 2024
  affected < 1:20.12.2-2.module_el8.9.0+3827+11b91f3efixed 1:20.12.2-2.module_el8.9.0+3827+11b91f3e

  The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke

• CVE-2024-27983HigApr 9, 2024
  affected < 1:20.12.2-2.module_el8.9.0+3827+11b91f3efixed 1:20.12.2-2.module_el8.9.0+3827+11b91f3e

  An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se

• CVE-2024-28182Apr 4, 2024
  affected < 1:20.12.2-2.module_el8.9.0+3827+11b91f3efixed 1:20.12.2-2.module_el8.9.0+3827+11b91f3e

  nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag

• CVE-2024-28863Mar 21, 2024
  affected < 1:20.16.0-1.module_el8.10.0+3882+e12e42dbfixed 1:20.16.0-1.module_el8.10.0+3882+e12e42db

  node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js cl