VYPR

rpm package

almalinux/nodejs-libs

pkg:rpm/almalinux/nodejs-libs

Vulnerabilities (70)

  • CVE-2025-55132Jan 20, 2026
    affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-55130Jan 20, 2026
    affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 1:22.22.0-3.el10_1fixed 1:22.22.0-3.el10_1

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

  • CVE-2025-6965CriJul 15, 2025
    affected < 1:22.16.0-2.module_el8.10.0+4028+97ddca84fixed 1:22.16.0-2.module_el8.10.0+4028+97ddca84

    There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

  • CVE-2025-23166HigMay 19, 2025
    affected < 1:22.16.0-1.module_el9.6.0+170+f035de78fixed 1:22.16.0-1.module_el9.6.0+170+f035de78

    The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall

  • CVE-2025-3277Apr 14, 2025
    affected < 1:22.15.0-1.module_el8.10.0+3986+a908e756fixed 1:22.15.0-1.module_el8.10.0+3986+a908e756

    An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of

  • CVE-2025-31498HigApr 8, 2025
    affected < 1:22.15.0-1.module_el8.10.0+3986+a908e756fixed 1:22.15.0-1.module_el8.10.0+3986+a908e756

    c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri

  • CVE-2025-23085MedFeb 7, 2025
    affected < 1:22.13.1-1.module_el8.10.0+3961+6a788e57fixed 1:22.13.1-1.module_el8.10.0+3961+6a788e57

    A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc

  • CVE-2025-23083HigJan 22, 2025
    affected < 1:22.13.1-1.module_el8.10.0+3961+6a788e57fixed 1:22.13.1-1.module_el8.10.0+3961+6a788e57

    With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for

  • CVE-2025-22150MedJan 21, 2025
    affected < 1:22.13.1-1.module_el8.10.0+3961+6a788e57fixed 1:22.13.1-1.module_el8.10.0+3961+6a788e57

    Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat

  • CVE-2024-27982MedMay 7, 2024
    affected < 1:16.20.2-8.el9_4fixed 1:16.20.2-8.el9_4

    The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke

  • CVE-2024-27983HigApr 9, 2024
    affected < 1:16.20.2-8.el9_4fixed 1:16.20.2-8.el9_4

    An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se

  • CVE-2024-28182Apr 4, 2024
    affected < 1:16.20.2-8.el9_4fixed 1:16.20.2-8.el9_4

    nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag

  • CVE-2024-22025MedMar 19, 2024
    affected < 1:16.20.2-8.el9_4fixed 1:16.20.2-8.el9_4

    A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d

  • CVE-2024-25629Feb 23, 2024
    affected < 1:16.20.2-8.el9_4fixed 1:16.20.2-8.el9_4

    c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these conf

  • CVE-2024-22019Feb 20, 2024
    affected < 1:16.20.2-4.el9_3fixed 1:16.20.2-4.el9_3

    A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li

  • CVE-2023-30590Nov 28, 2023
    affected < 1:16.20.1-1.el9_2fixed 1:16.20.1-1.el9_2

    The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat

  • CVE-2023-30588Nov 28, 2023
    affected < 1:16.20.1-1.el9_2fixed 1:16.20.1-1.el9_2

    When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when acces

  • CVE-2023-30581Nov 22, 2023
    affected < 1:16.20.1-1.el9_2fixed 1:16.20.1-1.el9_2

    The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

Page 2 of 4