nodejs:18 security update

エラータID: AXSA:2025-9678:01

Release date: 
Wednesday, February 19, 2025 - 16:23
Subject: 
nodejs:18 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* undici: Undici Uses Insufficiently Random Values (CVE-2025-22150)
* nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

Modularity name: "nodejs"
Stream name: "18"

Solution: 

Update packages.

CVEs: 
CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-3.0.1-1.module+el8+1851+3e4e12ae.src.rpm
    MD5: 1eb39b719607ae77bd93b905e44545bf
    SHA-256: c7a12f07f17c87f3045957786df112c59e1908f0f5fd38cf7b0d67a1f164bd56
    Size: 340.68 kB
  2. nodejs-packaging-2021.06-4.module+el8+1851+3e4e12ae.src.rpm
    MD5: 37cde93d03da15129c009ed6640bcc23
    SHA-256: d6e5a0d681f2a961f2714d6038d51a178ebef6b6f10d207a8d18737ff27273fe
    Size: 30.29 kB
  3. nodejs-18.20.6-1.module+el8+1851+3e4e12ae.src.rpm
    MD5: 62433eddabe9abbbe4ba84d7eb8b3c02
    SHA-256: 23063db20076ddd25dda8dbea3b2f5dce75d101a2f8c5a640c048f1be4867b20
    Size: 122.26 MB

Asianux Server 8 for x86_64
  1. nodejs-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: a13c30ee8944d0391876224a720729da
    SHA-256: c1ffb08ca42cc1c546ba20ed02667036a59dffe541959bf14aa7a15d878a1771
    Size: 13.34 MB
  2. nodejs-debugsource-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: 64a5a6bbe3c19cbf3e6d707f3ffa4e21
    SHA-256: 62e9679621979012e5523c2a5c82ea4139b8ee2320cea5dd6e06ed370cad9257
    Size: 14.40 MB
  3. nodejs-devel-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: dd82164d5228a6f8086ab316731471ba
    SHA-256: 71991f1d3404904d79d611ae06c5d11946fe37ce83faa016165a8caf9e9b1bdf
    Size: 208.28 kB
  4. nodejs-docs-18.20.6-1.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: eb9b4815a6199be3d111e56427e57c8f
    SHA-256: 76a4f16c23f7bf44909429dd911a6d128b11f9fbf41e8aa2ca9651c192036a04
    Size: 10.18 MB
  5. nodejs-full-i18n-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: 58f8b509107466c5648091c7f1dc0c4e
    SHA-256: cba136501645d2fff8406dba09a1f50ed9086162807fab02cdca01dbc3574163
    Size: 8.17 MB
  6. nodejs-nodemon-3.0.1-1.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: dccddabded577b2808dada021789b79b
    SHA-256: 96e14cd575de4ef8e5ca0bb2bebead0b958474c125524632ec99ff6f3fca70a1
    Size: 282.09 kB
  7. nodejs-packaging-2021.06-4.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: 029f60dfc0945bc489906c426d75e381
    SHA-256: 5231a2ebb70a6ef45c1265f6bf443470f2cb5e3c39c60c14848113e57e0490bf
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: 401f25f9380abf6e7f2c436febd8cd40
    SHA-256: 6346bf8cdb2cce8f4fbbc6b895ce97746ba7f8bd642bf3a5e82ced423b50a100
    Size: 13.76 kB
  9. npm-10.8.2-1.18.20.6.1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: 57fac91b89416a54c262ec724fb966e7
    SHA-256: 90dd32549b2efb2afd03a3a7afab322b557332fb5aad088c82ec2b1c291bf16c
    Size: 2.02 MB