rpm package
opensuse/nodejs26&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweed
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-22150 | Med | 6.8 | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 21, 2025 | Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat | |
| CVE-2024-37372 | Low | 3.6 | < 26.3.1-1.1 | 26.3.1-1.1 | Jan 9, 2025 | The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. | |
| CVE-2024-21538 | Hig | 7.5 | < 26.3.1-1.1 | 26.3.1-1.1 | Nov 8, 2024 | Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted | |
| CVE-2024-36138 | Hig | 8.1 | < 26.3.1-1.1 | 26.3.1-1.1 | Sep 7, 2024 | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if | |
| CVE-2024-36137 | Low | 3.3 | < 26.3.1-1.1 | 26.3.1-1.1 | Sep 7, 2024 | A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" fi | |
| CVE-2024-22018 | Low | 2.9 | < 26.3.1-1.1 | 26.3.1-1.1 | Jul 10, 2024 | A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious acto | |
| CVE-2024-22020 | Med | 6.5 | < 26.3.1-1.1 | 26.3.1-1.1 | Jul 9, 2024 | A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs i |
- affected < 26.3.1-1.1fixed 26.3.1-1.1
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat
- affected < 26.3.1-1.1fixed 26.3.1-1.1
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
- affected < 26.3.1-1.1fixed 26.3.1-1.1
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
- affected < 26.3.1-1.1fixed 26.3.1-1.1
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" fi
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious acto
- affected < 26.3.1-1.1fixed 26.3.1-1.1
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs i
Page 2 of 2