nodejs:18 security update

エラータID: AXSA:2025-9678:01

リリース日: 
2025/02/19 Wednesday - 16:23
題名: 
nodejs:18 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- Node.js の undici パッケージの Math.random() 関数
には、出力値の予測が可能なことを利用したマルチ
パートリクエストデータ領域の範囲外アクセスの問題
があるため、リモートの攻撃者により、細工された
マルチパートリクエストの送信を介して、情報の漏洩、
およびリクエストデータの改竄を可能とする脆弱性が
存在します。(CVE-2025-22150)

- Node.js の nghttp2 には、リモートの攻撃者により、
GOAWAY 通知を送信せずにソケットをクローズすること
を介して、サービス拒否攻撃 (メモリリークの発生) を
可能とする脆弱性が存在します。(CVE-2025-23085)

Modularity name: nodejs
Stream name: 18

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. nodejs-nodemon-3.0.1-1.module+el8+1851+3e4e12ae.src.rpm
    MD5: 1eb39b719607ae77bd93b905e44545bf
    SHA-256: c7a12f07f17c87f3045957786df112c59e1908f0f5fd38cf7b0d67a1f164bd56
    Size: 340.68 kB
  2. nodejs-packaging-2021.06-4.module+el8+1851+3e4e12ae.src.rpm
    MD5: 37cde93d03da15129c009ed6640bcc23
    SHA-256: d6e5a0d681f2a961f2714d6038d51a178ebef6b6f10d207a8d18737ff27273fe
    Size: 30.29 kB
  3. nodejs-18.20.6-1.module+el8+1851+3e4e12ae.src.rpm
    MD5: 62433eddabe9abbbe4ba84d7eb8b3c02
    SHA-256: 23063db20076ddd25dda8dbea3b2f5dce75d101a2f8c5a640c048f1be4867b20
    Size: 122.26 MB

Asianux Server 8 for x86_64
  1. nodejs-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: a13c30ee8944d0391876224a720729da
    SHA-256: c1ffb08ca42cc1c546ba20ed02667036a59dffe541959bf14aa7a15d878a1771
    Size: 13.34 MB
  2. nodejs-debugsource-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: 64a5a6bbe3c19cbf3e6d707f3ffa4e21
    SHA-256: 62e9679621979012e5523c2a5c82ea4139b8ee2320cea5dd6e06ed370cad9257
    Size: 14.40 MB
  3. nodejs-devel-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: dd82164d5228a6f8086ab316731471ba
    SHA-256: 71991f1d3404904d79d611ae06c5d11946fe37ce83faa016165a8caf9e9b1bdf
    Size: 208.28 kB
  4. nodejs-docs-18.20.6-1.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: eb9b4815a6199be3d111e56427e57c8f
    SHA-256: 76a4f16c23f7bf44909429dd911a6d128b11f9fbf41e8aa2ca9651c192036a04
    Size: 10.18 MB
  5. nodejs-full-i18n-18.20.6-1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: 58f8b509107466c5648091c7f1dc0c4e
    SHA-256: cba136501645d2fff8406dba09a1f50ed9086162807fab02cdca01dbc3574163
    Size: 8.17 MB
  6. nodejs-nodemon-3.0.1-1.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: dccddabded577b2808dada021789b79b
    SHA-256: 96e14cd575de4ef8e5ca0bb2bebead0b958474c125524632ec99ff6f3fca70a1
    Size: 282.09 kB
  7. nodejs-packaging-2021.06-4.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: 029f60dfc0945bc489906c426d75e381
    SHA-256: 5231a2ebb70a6ef45c1265f6bf443470f2cb5e3c39c60c14848113e57e0490bf
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1851+3e4e12ae.noarch.rpm
    MD5: 401f25f9380abf6e7f2c436febd8cd40
    SHA-256: 6346bf8cdb2cce8f4fbbc6b895ce97746ba7f8bd642bf3a5e82ced423b50a100
    Size: 13.76 kB
  9. npm-10.8.2-1.18.20.6.1.module+el8+1851+3e4e12ae.x86_64.rpm
    MD5: 57fac91b89416a54c262ec724fb966e7
    SHA-256: 90dd32549b2efb2afd03a3a7afab322b557332fb5aad088c82ec2b1c291bf16c
    Size: 2.02 MB