nodejs:20 security update
エラータID: AXSA:2025-9674:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* undici: Undici Uses Insufficiently Random Values (CVE-2025-22150)
* nodejs: Node.js Worker Thread Exposure via Diagnostics Channel (CVE-2025-23083)
* nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23083
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
Modularity name: "nodejs"
Stream name: "20"
Update packages.
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1849+68317c0c.src.rpm
MD5: 31a4a6cea82f37fbc2168f80c7dfface
SHA-256: f13f360ac808b75c13f55a2bb1cb7d4db50b1ff2877d2a515325155bc35598f4
Size: 339.85 kB - nodejs-packaging-2021.06-4.module+el8+1849+68317c0c.src.rpm
MD5: 907639359685d3ac0cf922a183753a1e
SHA-256: c9618c85d674bfa9fbd26eaa556a9092ee03841a200d37bd25085f1a9000cc1b
Size: 30.29 kB - nodejs-20.18.2-1.module+el8+1849+68317c0c.src.rpm
MD5: 2f01746753dda519b78de2d43d242a00
SHA-256: 04daa2b9d4ff9a2285abcf8bf07e48d072b51dbc79ce3a34ab08be31a924d0ab
Size: 82.44 MB
Asianux Server 8 for x86_64
- nodejs-20.18.2-1.module+el8+1849+68317c0c.x86_64.rpm
MD5: a8989d21c402e0631dec231d186ac9e8
SHA-256: c9f74191c3edbe1d26fba29f97401937df906bcae11351e1e359db5e577039d3
Size: 14.41 MB - nodejs-debugsource-20.18.2-1.module+el8+1849+68317c0c.x86_64.rpm
MD5: 6341e11090d9143c79587fa6d3a15edd
SHA-256: ebc8f8756729141522edeb40d4bcd83f0eb0d9aa7d01638d0cb4884de737633d
Size: 11.86 MB - nodejs-devel-20.18.2-1.module+el8+1849+68317c0c.x86_64.rpm
MD5: 1b487b075fb38253726b0c6b6bb1608b
SHA-256: 4467a5e26dff0cf1d3a4d6e0a11423d713ab42d3991576b78b75aec12446d57f
Size: 262.47 kB - nodejs-docs-20.18.2-1.module+el8+1849+68317c0c.noarch.rpm
MD5: d6936ad3b73cf3c5e162e8991fd1ec85
SHA-256: 42c8d98a24bb63db41d74329fafddd406b861555a29c5bbb57e010c30c16799d
Size: 10.85 MB - nodejs-full-i18n-20.18.2-1.module+el8+1849+68317c0c.x86_64.rpm
MD5: 42343eef995ba053deb1fcde44bc3892
SHA-256: ec3fd9fa09b94f3e2c7584ccc2b26064f7c3c377658bdceb09d3f5f7404c8e6b
Size: 8.16 MB - nodejs-nodemon-3.0.1-1.module+el8+1849+68317c0c.noarch.rpm
MD5: 54e4273221e66b591071b420250fdfad
SHA-256: a82ab5468c77869c32abf2894143636bc2e29840acc217a2a7127261df6be69f
Size: 281.65 kB - nodejs-packaging-2021.06-4.module+el8+1849+68317c0c.noarch.rpm
MD5: 0def9e40aefe0193a23f432594e493e3
SHA-256: 511d9d37b686909e97d784b9bb8e1442d768e5515106bf2b8046797132ff4638
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1849+68317c0c.noarch.rpm
MD5: 835271a138ad0c29418968e0fb98a7e7
SHA-256: 7553c840f84b55dbef9b1a545504434302d21150fd846f3b4567f2043bfdf3cc
Size: 13.76 kB - npm-10.8.2-1.20.18.2.1.module+el8+1849+68317c0c.x86_64.rpm
MD5: da7f25543a546aa63d2a192f6063a8cc
SHA-256: ba45b9be360fee595c4bddd619409f84f26078af668aea34f8c07724627beaf1
Size: 2.02 MB
日本語