rpm package

almalinux/npm

pkg:rpm/almalinux/npm

Vulnerabilities (111)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-55132		—	< 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	Jan 20, 2026	A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
CVE-2025-55130		—	< 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	Jan 20, 2026	A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
CVE-2026-21637		—	< 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	Jan 20, 2026	A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
CVE-2025-59465		—	< 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2	Jan 20, 2026	A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
CVE-2025-6965	Cri	9.8	< 1:10.9.2-1.22.16.0.2.module_el8.10.0+4028+97ddca84	1:10.9.2-1.22.16.0.2.module_el8.10.0+4028+97ddca84	Jul 15, 2025	There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
CVE-2025-23166	Hig	7.5	< 1:10.9.2-1.22.16.0.1.module_el9.6.0+170+f035de78	1:10.9.2-1.22.16.0.1.module_el9.6.0+170+f035de78	May 19, 2025	The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
CVE-2025-3277		—	< 1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756	1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756	Apr 14, 2025	An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of
CVE-2025-31498	Hig	—	< 1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756	1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756	Apr 8, 2025	c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri
CVE-2025-23085	Med	5.3	< 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467	1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467	Feb 7, 2025	A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc
CVE-2025-23083	Hig	7.7	< 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467	1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467	Jan 22, 2025	With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for
CVE-2025-22150	Med	6.8	< 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467	1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467	Jan 21, 2025	Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat
CVE-2024-36137	Low	3.3	< 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	Sep 7, 2024	A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" fi
CVE-2023-46809	Hig	7.4	< 1:10.2.4-1.18.19.1.1.module_el9.3.0+59+28b95644	1:10.2.4-1.18.19.1.1.module_el9.3.0+59+28b95644	Sep 7, 2024	Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp
CVE-2023-39333	Med	5.3	< 1:9.8.1-1.18.18.2.2.module_el9.2.0+43+3ebc9e20	1:9.8.1-1.18.18.2.2.module_el9.2.0+43+3ebc9e20	Sep 7, 2024	Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
CVE-2024-22018	Low	2.9	< 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	Jul 10, 2024	A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious acto
CVE-2024-22020	Med	6.5	< 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	Jul 9, 2024	A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs i
CVE-2024-27982	Med	6.5	< 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e	1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e	May 7, 2024	The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke
CVE-2024-27983	Hig	8.2	< 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e	1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e	Apr 9, 2024	An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se
CVE-2024-28182		—	< 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e	1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e	Apr 4, 2024	nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag
CVE-2024-28863		—	< 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db	Mar 21, 2024	node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js cl

CVE-2025-55132Jan 20, 2026
affected < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2fixed 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
CVE-2025-55130Jan 20, 2026
affected < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2fixed 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
CVE-2026-21637Jan 20, 2026
affected < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2fixed 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
CVE-2025-59465Jan 20, 2026
affected < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2fixed 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
CVE-2025-6965CriJul 15, 2025
affected < 1:10.9.2-1.22.16.0.2.module_el8.10.0+4028+97ddca84fixed 1:10.9.2-1.22.16.0.2.module_el8.10.0+4028+97ddca84
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
CVE-2025-23166HigMay 19, 2025
affected < 1:10.9.2-1.22.16.0.1.module_el9.6.0+170+f035de78fixed 1:10.9.2-1.22.16.0.1.module_el9.6.0+170+f035de78
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
CVE-2025-3277Apr 14, 2025
affected < 1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756fixed 1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of
CVE-2025-31498HigApr 8, 2025
affected < 1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756fixed 1:10.9.2-1.22.15.0.1.module_el8.10.0+3986+a908e756
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri
CVE-2025-23085MedFeb 7, 2025
affected < 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467fixed 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc
CVE-2025-23083HigJan 22, 2025
affected < 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467fixed 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for
CVE-2025-22150MedJan 21, 2025
affected < 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467fixed 1:10.8.2-1.20.18.2.1.module_el8.10.0+3958+472a6467
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat
CVE-2024-36137LowSep 7, 2024
affected < 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42dbfixed 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" fi
CVE-2023-46809HigSep 7, 2024
affected < 1:10.2.4-1.18.19.1.1.module_el9.3.0+59+28b95644fixed 1:10.2.4-1.18.19.1.1.module_el9.3.0+59+28b95644
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp
CVE-2023-39333MedSep 7, 2024
affected < 1:9.8.1-1.18.18.2.2.module_el9.2.0+43+3ebc9e20fixed 1:9.8.1-1.18.18.2.2.module_el9.2.0+43+3ebc9e20
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
CVE-2024-22018LowJul 10, 2024
affected < 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42dbfixed 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious acto
CVE-2024-22020MedJul 9, 2024
affected < 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42dbfixed 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs i
CVE-2024-27982MedMay 7, 2024
affected < 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3efixed 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke
CVE-2024-27983HigApr 9, 2024
affected < 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3efixed 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se
CVE-2024-28182Apr 4, 2024
affected < 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3efixed 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usag
CVE-2024-28863Mar 21, 2024
affected < 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42dbfixed 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js cl

Page 2 of 6