nodejs:20 security update
エラータID: AXSA:2026-220:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
* nodejs: Nodejs denial of service (CVE-2026-21637)
* nodejs: Nodejs denial of service (CVE-2025-59466)
* nodejs: Nodejs denial of service (CVE-2025-59465)
* nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
* nodejs: Nodejs file permissions bypass (CVE-2025-55130)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-55130
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-55131
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVE-2025-55132
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
Modularity name: "nodejs"
Stream name: "20"
Update packages.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1131+70c93167.src.rpm
MD5: c6980f3cf74a781bf32a9e156447eda1
SHA-256: cf6236d6e9be206b6c22f3d24fbb0d3004fdd4ea43048de8c99e83c38494c623
Size: 339.27 kB - nodejs-packaging-2021.06-5.module+el9+1131+70c93167.src.rpm
MD5: 611d735779fea521556825f4c16ce348
SHA-256: ba2af7e3fa497e38cc4809499ac3a2bc82059009d59b6c7d06fed86d07e044a7
Size: 25.17 kB - nodejs-20.20.0-1.module+el9+1131+70c93167.src.rpm
MD5: 97c5e71e4eeadc46157ada0e7964148d
SHA-256: 48f4c04ff07eceed8c4c5374dd3ba70c37c0a004ce15d83acdb77f57e436f463
Size: 82.88 MB
Asianux Server 9 for x86_64
- nodejs-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 271420b6c8c055c4ec374f5ee59fbc09
SHA-256: db7a420b7f778267899898aca14aa89bf9facad434f9e0152ac6b21ae86bb055
Size: 14.13 MB - nodejs-debugsource-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 1003d921fe4734b7d597b81172c1b886
SHA-256: 889b7064c239ab20c0618afe28653cd6bcfab9dc834c1a28ef7115322db0a56b
Size: 12.68 MB - nodejs-devel-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 6f18d1c37a65bfae5839c7326854d865
SHA-256: 09754dd32c72dff5b54becf945cc54498a9cfe009273d8e46701c2ca8e67b557
Size: 258.85 kB - nodejs-docs-20.20.0-1.module+el9+1131+70c93167.noarch.rpm
MD5: 4dc6e6f42dc8e81b01b6d711fafd77c6
SHA-256: fb84580771e095690d4e92777d9afb3450bb7d7328a84714b4c5accef175698f
Size: 8.62 MB - nodejs-full-i18n-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 1aef56877f6efd2300bb0ae5714681b9
SHA-256: e857f431b11e1c5b29ff8c86b8ffb9ecc658b82947f3a17d91325dedf2bcada4
Size: 8.60 MB - nodejs-nodemon-3.0.1-1.module+el9+1131+70c93167.noarch.rpm
MD5: 6f976d85fc3b8934a7758df87aa5803b
SHA-256: 998f1e95bc9675132b7742618a7a6af51edbde2167b025dac3a14adc981a1128
Size: 332.32 kB - nodejs-packaging-2021.06-5.module+el9+1131+70c93167.noarch.rpm
MD5: edc732760c244412e603d5b61f248f60
SHA-256: 6456c950372eb9a0fd2a7a53352c8ef22fbc673f5110599fd1d8e23aa1a634e5
Size: 18.50 kB - nodejs-packaging-bundler-2021.06-5.module+el9+1131+70c93167.noarch.rpm
MD5: 19643e585f65180af707723801b9d95c
SHA-256: a4ce180bd77769c1b8c52ed54687fb72363e2c4edb793b18ac79e14950be35ff
Size: 8.34 kB - npm-10.8.2-1.20.20.0.1.module+el9+1131+70c93167.x86_64.rpm
MD5: bc5337b42de3a69e6628bc26385d7a9a
SHA-256: 6020d1affc3d9599055bbba1aac00bc2df8a4b267b7a9ee7d800d126ab80369c
Size: 2.22 MB