nodejs:22 security update
エラータID: AXSA:2025-9681:01
リリース日:
2025/02/19 Wednesday - 18:15
題名:
nodejs:22 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の undici パッケージの Math.random() 関数
には、出力値の予測が可能なことを利用したマルチパート
リクエストデータ領域の範囲外アクセスの問題があるため、
リモートの攻撃者により、細工されたマルチパートリクエスト
の送信を介して、情報の漏洩、およびリクエストデータの改竄
を可能とする脆弱性が存在します。(CVE-2025-22150)
- Node.js のディアゴノスティクスチャネルユーティリティー
には、ワーカースレッドを作成するたびにそのイベントの
フックを許容してしまう問題があるため、ローカルの攻撃者
により、情報の漏洩、データ破壊、およびサービス拒否攻撃
などを可能とする脆弱性が存在します。(CVE-2025-23083)
- Node.js の nghttp2 には、リモートの攻撃者により、
GOAWAY 通知を送信せずにソケットをクローズすることを
介して、サービス拒否攻撃 (メモリリークの発生) を可能と
する脆弱性が存在します。(CVE-2025-23085)
Modularity name: nodejs
Stream name: 22
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-22150
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23083
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1852+c018fdc7.src.rpm
MD5: 49af49e63770ab345671b8681dd45afa
SHA-256: f353d69cd5fed89e481aa2a5cbc6467734750788e251873c2d173a983f8c0957
Size: 340.07 kB - nodejs-packaging-2021.06-4.module+el8+1852+c018fdc7.src.rpm
MD5: dc6d426515bba04db56f32e41797c490
SHA-256: 42cf7c6f7d0ff0704a76a8f77bf6e03e29623107d86ed962e5a61d71bb8e749b
Size: 30.62 kB - nodejs-22.13.1-1.module+el8+1852+c018fdc7.src.rpm
MD5: 1766a3f6e66ee4716eff940f78015531
SHA-256: 33bc8b14fe654a26140c92736f265cd5dec7e11377eb25db37770c17121c5861
Size: 92.13 MB
Asianux Server 8 for x86_64
- nodejs-22.13.1-1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: 80bbe333f4fb9761f6d5610119162817
SHA-256: d0bce2eb075d58e961c0f445b8a349130b6e48739338af79e00913909bee4757
Size: 2.11 MB - nodejs-debugsource-22.13.1-1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: 9df0df1687178459a37a71bc770933b7
SHA-256: ca37cec4de5152941bedeafbba18f0a61229ede8d1c672e84513302ce1b232e1
Size: 19.26 MB - nodejs-devel-22.13.1-1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: 0073efb703386a89b055ab7dc155f1e3
SHA-256: 99544d58df829a90242bb2145b8dac7bfc5bd2bd0afa66c956a7dcb328973b62
Size: 266.92 kB - nodejs-docs-22.13.1-1.module+el8+1852+c018fdc7.noarch.rpm
MD5: b6a10fa9968d3ebd09cc5a1a8e37db51
SHA-256: 2e64ae1efe19db1a8d1076011947d6dd5c7236be723bb7ca82e675fd5ed82b3e
Size: 11.17 MB - nodejs-full-i18n-22.13.1-1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: 00080aa0b47d1898f746d2f5bc466d98
SHA-256: 45817aca4ca144f1135736686ad501a6c432f63b6b7ae62150669ae30967ba65
Size: 8.31 MB - nodejs-libs-22.13.1-1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: a76c8bb0c08793579e0613adca518215
SHA-256: da1fbe17905895cf6287de65be8e027f4493720a551c4cd24df75409a59be214
Size: 20.02 MB - nodejs-nodemon-3.0.1-1.module+el8+1852+c018fdc7.noarch.rpm
MD5: 77a8a6f7afa6f15a4a49a34913d889d1
SHA-256: f49a63a25f2f629523b8d14235c6b2433c819fb5dcb98f95fd777f0236d973dc
Size: 281.67 kB - nodejs-packaging-2021.06-4.module+el8+1852+c018fdc7.noarch.rpm
MD5: 77aee1fa158353cbdcc821761e6e3db0
SHA-256: 3a825de0949fb360a02c5f0161a7a38e6e345c0a03b829b0c99a17b8c9c3d765
Size: 24.25 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1852+c018fdc7.noarch.rpm
MD5: 3b3c6bb321cd15ee677543edb8005df5
SHA-256: 437e4e2d81a54c4d989beb2036782220ab4a98c817a39ee9636ea275e183962b
Size: 13.87 kB - npm-10.9.2-1.22.13.1.1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: 3e303e76c51bc1940bfffadb83625d6b
SHA-256: a3a2a5548996813015b16cb8a5f3c49cd5630199c054d813a305dfefc84f64b8
Size: 2.28 MB - v8-12.4-devel-12.4.254.21-1.22.13.1.1.module+el8+1852+c018fdc7.x86_64.rpm
MD5: 015aaa227aa82d0bbd2abc209eb391b7
SHA-256: 3d12caa43e609fa0f3b703c83872c72f5ec94d1719ce27ca2f2c1bf7805aba4d
Size: 13.99 kB
English