rpm package
suse/nodejs22&distro=SUSE Linux Enterprise Server for SAP applications 16.0
pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-55131 | Hig | 7.1 | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar | |
| CVE-2025-59466 | — | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 20, 2026 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica | ||
| CVE-2025-55132 | — | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 20, 2026 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can | ||
| CVE-2025-55130 | — | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 20, 2026 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and | ||
| CVE-2026-21637 | — | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 20, 2026 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca | ||
| CVE-2025-59465 | — | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 20, 2026 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects | ||
| CVE-2026-22036 | — | < 22.22.0-160000.1.1 | 22.22.0-160000.1.1 | Jan 14, 2026 | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio |
- affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
- CVE-2025-59466Jan 20, 2026affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica
- CVE-2025-55132Jan 20, 2026affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
- CVE-2025-55130Jan 20, 2026affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
- CVE-2026-21637Jan 20, 2026affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
- CVE-2025-59465Jan 20, 2026affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
- CVE-2026-22036Jan 14, 2026affected < 22.22.0-160000.1.1fixed 22.22.0-160000.1.1
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio