rpm package
opensuse/nodejs26&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweed
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48617 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jun 18, 2026 | A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release | ||
| CVE-2026-21717 | Med | 5.9 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo | |
| CVE-2026-21716 | Low | 3.3 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under ` | |
| CVE-2026-21715 | Low | 3.3 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs | |
| CVE-2026-21714 | Med | 5.3 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned | |
| CVE-2026-21713 | Med | 5.9 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl | |
| CVE-2026-21710 | Hig | 7.5 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-21712 | Med | 5.7 | < 26.3.1-1.1 | 26.3.1-1.1 | Mar 30, 2026 | A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. | |
| CVE-2025-55131 | Hig | 7.1 | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar | |
| CVE-2025-59466 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica | ||
| CVE-2025-55132 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can | ||
| CVE-2025-59464 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady | ||
| CVE-2025-55130 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and | ||
| CVE-2026-21637 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca | ||
| CVE-2025-59465 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 20, 2026 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects | ||
| CVE-2026-22036 | — | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 14, 2026 | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio | ||
| CVE-2025-23166 | Hig | 7.5 | < 26.3.1-1.1 | 26.3.1-1.1 | May 19, 2025 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall | |
| CVE-2025-23165 | Low | 3.7 | < 26.3.1-1.1 | 26.3.1-1.1 | May 19, 2025 | In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can | |
| CVE-2025-23085 | Med | 5.3 | < 26.3.1-1.1 | 26.3.1-1.1 | Feb 7, 2025 | A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc | |
| CVE-2025-23083 | Hig | 7.7 | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 22, 2025 | With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for |
- CVE-2026-48617Jun 18, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo
- affected < 26.3.1-1.1fixed 26.3.1-1.1
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
- CVE-2025-59466Jan 20, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica
- CVE-2025-55132Jan 20, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
- CVE-2025-59464Jan 20, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady
- CVE-2025-55130Jan 20, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
- CVE-2026-21637Jan 20, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
- CVE-2025-59465Jan 20, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
- CVE-2026-22036Jan 14, 2026affected < 26.3.1-1.1fixed 26.3.1-1.1
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio
- affected < 26.3.1-1.1fixed 26.3.1-1.1
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
- affected < 26.3.1-1.1fixed 26.3.1-1.1
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc
- affected < 26.3.1-1.1fixed 26.3.1-1.1
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for
Page 1 of 2