rpm package
suse/nodejs24&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP7
pkg:rpm/suse/nodejs24&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21717 | Med | 5.9 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo | |
| CVE-2026-21716 | Low | 3.3 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under ` | |
| CVE-2026-21715 | Low | 3.3 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs | |
| CVE-2026-21714 | Med | 5.3 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned | |
| CVE-2026-21713 | Med | 5.9 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl | |
| CVE-2026-21710 | Hig | 7.5 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-21712 | Med | 5.7 | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Mar 30, 2026 | A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. | |
| CVE-2025-59464 | — | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Jan 20, 2026 | A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady | ||
| CVE-2026-21637 | — | < 24.14.1-150700.15.8.1 | 24.14.1-150700.15.8.1 | Jan 20, 2026 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca |
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
- CVE-2025-59464Jan 20, 2026affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady
- CVE-2026-21637Jan 20, 2026affected < 24.14.1-150700.15.8.1fixed 24.14.1-150700.15.8.1
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca