VYPR

rpm package

suse/nodejs22&distro=SUSE Linux Enterprise Server 15 SP6-LTSS

pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSS

Vulnerabilities (13)

  • CVE-2026-21717MedMar 30, 2026
    affected < 22.22.2-150600.13.15.1fixed 22.22.2-150600.13.15.1

    A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo

  • CVE-2026-21716LowMar 30, 2026
    affected < 22.22.2-150600.13.15.1fixed 22.22.2-150600.13.15.1

    An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `

  • CVE-2026-21715LowMar 30, 2026
    affected < 22.22.2-150600.13.15.1fixed 22.22.2-150600.13.15.1

    A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs

  • CVE-2026-21714MedMar 30, 2026
    affected < 22.22.2-150600.13.15.1fixed 22.22.2-150600.13.15.1

    A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned

  • CVE-2026-21713MedMar 30, 2026
    affected < 22.22.2-150600.13.15.1fixed 22.22.2-150600.13.15.1

    A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl

  • CVE-2026-21710HigMar 30, 2026
    affected < 22.22.2-150600.13.15.1fixed 22.22.2-150600.13.15.1

    A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c

  • CVE-2025-55131HigJan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar

  • CVE-2025-59466Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica

  • CVE-2025-55132Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-55130Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

  • CVE-2026-22036Jan 14, 2026
    affected < 22.22.0-150600.13.12.1fixed 22.22.0-150600.13.12.1

    Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio