[security - high] nodejs:20 security update
エラータID: AXSA:2026-187:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
* nodejs: Nodejs denial of service (CVE-2026-21637)
* nodejs: Nodejs denial of service (CVE-2025-59466)
* nodejs: Nodejs denial of service (CVE-2025-59465)
* nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
* nodejs: Nodejs file permissions bypass (CVE-2025-55130)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-55130
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-55131
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVE-2025-55132
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
Modularity name: "nodejs"
Stream name: "20"
Update packages.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1952+34cf74eb.src.rpm
MD5: 3cac1400d4a69baf51d628b6cc1c1d2d
SHA-256: b3ed889c427cd711e1d1927380c994e66319cef50735bd9adf50dd9ade75db76
Size: 339.85 kB - nodejs-packaging-2021.06-5.module+el8+1952+34cf74eb.src.rpm
MD5: d0d649af8b7947c5e7578496b81cb111
SHA-256: db86b59eaa8ca9304bef36a8de550695776b89c9122fcbfac01d429fa8bf9175
Size: 30.44 kB - nodejs-20.20.0-1.module+el8+1952+34cf74eb.src.rpm
MD5: 8fefa5c54c98df404b6ceeffb64b184b
SHA-256: b2ba9b8cf2a5e7de8d27e5eeedd24d967e9925933a900921cfddfb85a230e347
Size: 82.93 MB
Asianux Server 8 for x86_64
- nodejs-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: d1a1699ce0c3700cb1a9b48b7553c5db
SHA-256: 20c51e1d09a24e0444ffbe519530c37f87fc6ba05f5daea935d3eb479f65fc96
Size: 14.50 MB - nodejs-debugsource-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: 22a4d604987b526b486d3f2882a1781f
SHA-256: 9917038c89bcecb29f3c2703bb141f680992f01b1772fcecfc6eb962481c0084
Size: 11.95 MB - nodejs-devel-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: b8d2059fd78f4dd1d26672efc697b46a
SHA-256: cd46c28d7af66b2150fcf45807098b5cea1edce0746909b31ffdb5fcb7fced40
Size: 263.40 kB - nodejs-docs-20.20.0-1.module+el8+1952+34cf74eb.noarch.rpm
MD5: adb59a2fe5db44e3567a74ac6de19442
SHA-256: f11472ad139ba2eb0db876b47c9313d78292d242217e49962bc4073df043f8ae
Size: 10.95 MB - nodejs-full-i18n-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: 8b4cc934965682a1ab29d35f22196be7
SHA-256: 0dd7e83dcb5ad43ac3ea6db53a6c19d166dab318c3920ad17ef4b271aa4a72ec
Size: 8.33 MB - nodejs-nodemon-3.0.1-1.module+el8+1952+34cf74eb.noarch.rpm
MD5: 6c4f57dae446d84c556b8d5d10fc88ac
SHA-256: 50848076471f68928e9114b050523a2c7bb028d97050753f392a7920fb87105f
Size: 281.65 kB - nodejs-packaging-2021.06-5.module+el8+1952+34cf74eb.noarch.rpm
MD5: cde087f7270649be8bd4c361308ac533
SHA-256: 189a591482c286dd004ba68ea5ce103f9922c2dde86cc2b8b227acbee091ff0f
Size: 24.23 kB - nodejs-packaging-bundler-2021.06-5.module+el8+1952+34cf74eb.noarch.rpm
MD5: 9f2585239927326c60b7207e9820d97b
SHA-256: 29c896eacc3361c189ab9648a2098f1e91e21be672429b4aa131fc7b4300e37e
Size: 13.85 kB - npm-10.8.2-1.20.20.0.1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: 386f0fadf86260069657178c8cd13b59
SHA-256: 44f52c89f8a9a2b43268d51effc2a2df7622411f6e8dfabe662977b9d543fc6b
Size: 2.02 MB