rpm package
opensuse/nodejs24&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/nodejs24&distro=openSUSE%20Tumbleweed
Vulnerabilities (38)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48937 | — | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 18, 2026 | A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**. | ||
| CVE-2026-48617 | — | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 18, 2026 | A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release | ||
| CVE-2026-11525 | low | 3.7 | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | |
| CVE-2026-6733 | low | 3.7 | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | |
| CVE-2026-9678 | mod | 5.9 | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 17, 2026 | undici: Undici: Information disclosure due to improper cache-control header parsing | |
| CVE-2026-9679 | mod | 5.9 | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | |
| CVE-2026-12151 | imp | 7.5 | < 24.17.0-1.1 | 24.17.0-1.1 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | |
| CVE-2026-9496 | Hig | 7.5 | < 24.17.0-1.1 | 24.17.0-1.1 | May 26, 2026 | Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation l | |
| CVE-2026-42338 | Med | 6.1 | < 24.17.0-1.1 | 24.17.0-1.1 | May 12, 2026 | ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi | |
| CVE-2026-40170 | Hig | 7.5 | < 24.17.0-1.1 | 24.17.0-1.1 | Apr 16, 2026 | ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send suffic | |
| CVE-2026-21717 | Med | 5.9 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo | |
| CVE-2026-21716 | Low | 3.3 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under ` | |
| CVE-2026-21715 | Low | 3.3 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs | |
| CVE-2026-21714 | Med | 5.3 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned | |
| CVE-2026-21713 | Med | 5.9 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl | |
| CVE-2026-21710 | Hig | 7.5 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-21712 | Med | 5.7 | < 24.14.1-1.1 | 24.14.1-1.1 | Mar 30, 2026 | A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. | |
| CVE-2026-27135 | Hig | 7.5 | < 24.17.0-1.1 | 24.17.0-1.1 | Mar 18, 2026 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap | |
| CVE-2026-2581 | — | < 24.17.0-1.1 | 24.17.0-1.1 | Mar 12, 2026 | This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler | ||
| CVE-2025-55131 | Hig | 7.1 | < 24.13.0-1.1 | 24.13.0-1.1 | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar |
- CVE-2026-48937Jun 18, 2026affected < 24.17.0-1.1fixed 24.17.0-1.1
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
- CVE-2026-48617Jun 18, 2026affected < 24.17.0-1.1fixed 24.17.0-1.1
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release
- affected < 24.17.0-1.1fixed 24.17.0-1.1
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- affected < 24.17.0-1.1fixed 24.17.0-1.1
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- affected < 24.17.0-1.1fixed 24.17.0-1.1
undici: Undici: Information disclosure due to improper cache-control header parsing
- affected < 24.17.0-1.1fixed 24.17.0-1.1
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- affected < 24.17.0-1.1fixed 24.17.0-1.1
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- affected < 24.17.0-1.1fixed 24.17.0-1.1
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation l
- affected < 24.17.0-1.1fixed 24.17.0-1.1
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
- affected < 24.17.0-1.1fixed 24.17.0-1.1
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send suffic
- affected < 24.14.1-1.1fixed 24.14.1-1.1
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo
- affected < 24.14.1-1.1fixed 24.14.1-1.1
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `
- affected < 24.14.1-1.1fixed 24.14.1-1.1
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs
- affected < 24.14.1-1.1fixed 24.14.1-1.1
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned
- affected < 24.14.1-1.1fixed 24.14.1-1.1
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl
- affected < 24.14.1-1.1fixed 24.14.1-1.1
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected < 24.14.1-1.1fixed 24.14.1-1.1
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
- affected < 24.17.0-1.1fixed 24.17.0-1.1
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap
- CVE-2026-2581Mar 12, 2026affected < 24.17.0-1.1fixed 24.17.0-1.1
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler
- affected < 24.13.0-1.1fixed 24.13.0-1.1
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
Page 1 of 2