VYPR

rpm package

opensuse/nodejs22&distro=openSUSE Leap 15.6

pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Leap%2015.6

Vulnerabilities (12)

  • CVE-2025-55131HigJan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar

  • CVE-2025-59466Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica

  • CVE-2025-55132Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-55130Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

  • CVE-2026-22036Jan 14, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio

  • CVE-2025-23166HigMay 19, 2025
    affected < 22.15.1-150600.13.9.1fixed 22.15.1-150600.13.9.1

    The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall

  • CVE-2025-23165LowMay 19, 2025
    affected < 22.15.1-150600.13.9.1fixed 22.15.1-150600.13.9.1

    In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can

  • CVE-2025-23085MedFeb 7, 2025
    affected < 22.13.1-150600.13.6.1fixed 22.13.1-150600.13.6.1

    A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc

  • CVE-2025-23083HigJan 22, 2025
    affected < 22.13.1-150600.13.6.1fixed 22.13.1-150600.13.6.1

    With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for

  • CVE-2025-22150MedJan 21, 2025
    affected < 22.13.1-150600.13.6.1fixed 22.13.1-150600.13.6.1

    Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat