rpm package
suse/nodejs22&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP6
pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-23166 | Hig | 7.5 | < 22.15.1-150600.13.9.1 | 22.15.1-150600.13.9.1 | May 19, 2025 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall | |
| CVE-2025-23165 | Low | 3.7 | < 22.15.1-150600.13.9.1 | 22.15.1-150600.13.9.1 | May 19, 2025 | In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can | |
| CVE-2025-23085 | Med | 5.3 | < 22.13.1-150600.13.6.1 | 22.13.1-150600.13.6.1 | Feb 7, 2025 | A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc | |
| CVE-2025-23083 | Hig | 7.7 | < 22.13.1-150600.13.6.1 | 22.13.1-150600.13.6.1 | Jan 22, 2025 | With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for | |
| CVE-2025-22150 | Med | 6.8 | < 22.13.1-150600.13.6.1 | 22.13.1-150600.13.6.1 | Jan 21, 2025 | Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat |
- affected < 22.15.1-150600.13.9.1fixed 22.15.1-150600.13.9.1
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
- affected < 22.15.1-150600.13.9.1fixed 22.15.1-150600.13.9.1
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can
- affected < 22.13.1-150600.13.6.1fixed 22.13.1-150600.13.6.1
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc
- affected < 22.13.1-150600.13.6.1fixed 22.13.1-150600.13.6.1
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for
- affected < 22.13.1-150600.13.6.1fixed 22.13.1-150600.13.6.1
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generat