nodejs:18 security update

エラータID: AXSA:2025-9685:01

Release date: 
Thursday, February 20, 2025 - 16:15
Subject: 
nodejs:18 security update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* undici: Undici Uses Insufficiently Random Values (CVE-2025-22150)
* nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

Modularity name: "nodejs"
Stream name: "18"

Solution: 

Update packages.

CVEs: 
CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-3.0.1-1.module+el9+1067+602828ad.src.rpm
    MD5: c4c5ca66681eb621d86b986c2eb616c8
    SHA-256: b7836542661b48c7862c4949bdbd3d109aa1991320809d85ac6fa4fc00c04e04
    Size: 339.27 kB
  2. nodejs-packaging-2021.06-4.module+el9+1067+602828ad.src.rpm
    MD5: af79e18d8b76adfce9962cc679219ece
    SHA-256: 607e51ccee0e7c8a8eecef10705d7f22b6ef2df84aa8870d8ff4c778a668822f
    Size: 26.54 kB
  3. nodejs-18.20.6-1.module+el9+1067+602828ad.src.rpm
    MD5: bcf180cb93e86d51059b9ab5128cdd73
    SHA-256: c40cb6621139ef88897217ce056c9962266b8fccf92e8be40f7c361439f5ff05
    Size: 122.25 MB

Asianux Server 9 for x86_64
  1. nodejs-18.20.6-1.module+el9+1067+602828ad.x86_64.rpm
    MD5: 8b712cd28944e1251929e8330f70b7c3
    SHA-256: c15d0490ba0366ad8fd574f6a685850efdd7410a1564be08f124604164dff447
    Size: 12.62 MB
  2. nodejs-debugsource-18.20.6-1.module+el9+1067+602828ad.x86_64.rpm
    MD5: c7d2081183f0ec81684107a0250e82dd
    SHA-256: a674f6dab6a38a56c0b324cf86b89eba5e3d155be8176b5205af6b5274f968a2
    Size: 12.35 MB
  3. nodejs-devel-18.20.6-1.module+el9+1067+602828ad.x86_64.rpm
    MD5: a261067af96d8994cde6a2e090f492a0
    SHA-256: b09b57cb7cafbfe451f882a606885e95f19f49f4a3de83ef46575e6b8d6bb471
    Size: 201.50 kB
  4. nodejs-docs-18.20.6-1.module+el9+1067+602828ad.noarch.rpm
    MD5: e086b3570635d9b438514c787ae57430
    SHA-256: 488b6da9284b61aa2310bc255b853889c10871dab2be6b27590a9e18e0ca7fb7
    Size: 7.93 MB
  5. nodejs-full-i18n-18.20.6-1.module+el9+1067+602828ad.x86_64.rpm
    MD5: 1adddce9e956fea36e5d87bace587fe4
    SHA-256: 4d96ac0ccd81ab051938b6209818e60e92e562daa26791867552dc61a4990f41
    Size: 8.43 MB
  6. nodejs-nodemon-3.0.1-1.module+el9+1067+602828ad.noarch.rpm
    MD5: 7a432a4a770da85f2f49b04b46bde3e8
    SHA-256: 884e118837136ca4f576d13cb6f99119be754055ab10c682862ea153ab86b75f
    Size: 332.31 kB
  7. nodejs-packaging-2021.06-4.module+el9+1067+602828ad.noarch.rpm
    MD5: 7f0428c9a856c1c50630baaa83954a37
    SHA-256: 01f708ecb4edd86c631bb4a2994d650806e831f43c08977a7d08684dbb63a99a
    Size: 19.92 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el9+1067+602828ad.noarch.rpm
    MD5: 12a27b16dbc2f06a07dd227e323a2cd6
    SHA-256: 2a9317e02a45617cd1247332720b6c575b4e75049a259e4d070917b4232da690
    Size: 9.76 kB
  9. npm-10.8.2-1.18.20.6.1.module+el9+1067+602828ad.x86_64.rpm
    MD5: 4330d962d0397d9d6a0a411314447c74
    SHA-256: 438d483db208926b1da8005f0cf77d02bc9a262b6058c18c5ded2a8cef8935b5
    Size: 2.22 MB