nodejs:20 security update
エラータID: AXSA:2026-187:01
リリース日:
2026/02/17 Tuesday - 13:50
題名:
nodejs:20 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js には、ファイルのアクセス権限の処理に不備があるため、
ローカルの攻撃者により、任意のファイルの読み込み、および書き込み
を可能とする脆弱性が存在します。(CVE-2025-55130)
- Node.js のバッファーの割り当てロジックには、タイムアウト
オプションを指定したうえで vm モジュールを利用している場合、
初期化されていないメモリ領域が割り当てられる問題があるため、
リモートの攻撃者により、割り当ての中断を介して、初期化前のメモリ
内容の漏洩を可能とする脆弱性が存在します。(CVE-2025-55131)
- Node.js のパーミッションモデルには、対象のプロセスが読み取り
権限のみ付与されている場合においても、futimes() 関数を利用して
意図せずファイルのアクセス権限およびタイムスタンプを変更できて
しまう問題があるため、ローカルの攻撃者により、タイムスタンプの
改ざん、および情報の漏洩を可能とする脆弱性が存在します。
(CVE-2025-55132)
- Node.js の TLS 接続の処理には、想定外の ECONNRESET エラーが
発生してしまう問題があるため、リモートの攻撃者により、不正な形式
の HTTP/2 HEADERS フレームと、大きすぎる HPACK データを持つように
細工されたデータの処理を介して、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2025-59465)
- Node.js のエラーハンドラには、async_hooks.createHook() 関数に
よるフックを有効化した場合、利用できるスタック領域のサイズの制限
を超過したことを検知できなくなることに起因したスタックオーバー
フローの問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2025-59466)
- Node.js の TLS 処理スタックの pskCallback または ALPNCallback
を用いたエラーハンドラには、ファイルディスクリプタをリークさせて
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(TLS サーバーのクラッシュの発生、リソースの枯渇) を可能とする
脆弱性が存在します。(CVE-2026-21637)
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-55130
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-55131
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVE-2025-55132
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1952+34cf74eb.src.rpm
MD5: 3cac1400d4a69baf51d628b6cc1c1d2d
SHA-256: b3ed889c427cd711e1d1927380c994e66319cef50735bd9adf50dd9ade75db76
Size: 339.85 kB - nodejs-packaging-2021.06-5.module+el8+1952+34cf74eb.src.rpm
MD5: d0d649af8b7947c5e7578496b81cb111
SHA-256: db86b59eaa8ca9304bef36a8de550695776b89c9122fcbfac01d429fa8bf9175
Size: 30.44 kB - nodejs-20.20.0-1.module+el8+1952+34cf74eb.src.rpm
MD5: 8fefa5c54c98df404b6ceeffb64b184b
SHA-256: b2ba9b8cf2a5e7de8d27e5eeedd24d967e9925933a900921cfddfb85a230e347
Size: 82.93 MB
Asianux Server 8 for x86_64
- nodejs-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: d1a1699ce0c3700cb1a9b48b7553c5db
SHA-256: 20c51e1d09a24e0444ffbe519530c37f87fc6ba05f5daea935d3eb479f65fc96
Size: 14.50 MB - nodejs-debugsource-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: 22a4d604987b526b486d3f2882a1781f
SHA-256: 9917038c89bcecb29f3c2703bb141f680992f01b1772fcecfc6eb962481c0084
Size: 11.95 MB - nodejs-devel-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: b8d2059fd78f4dd1d26672efc697b46a
SHA-256: cd46c28d7af66b2150fcf45807098b5cea1edce0746909b31ffdb5fcb7fced40
Size: 263.40 kB - nodejs-docs-20.20.0-1.module+el8+1952+34cf74eb.noarch.rpm
MD5: adb59a2fe5db44e3567a74ac6de19442
SHA-256: f11472ad139ba2eb0db876b47c9313d78292d242217e49962bc4073df043f8ae
Size: 10.95 MB - nodejs-full-i18n-20.20.0-1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: 8b4cc934965682a1ab29d35f22196be7
SHA-256: 0dd7e83dcb5ad43ac3ea6db53a6c19d166dab318c3920ad17ef4b271aa4a72ec
Size: 8.33 MB - nodejs-nodemon-3.0.1-1.module+el8+1952+34cf74eb.noarch.rpm
MD5: 6c4f57dae446d84c556b8d5d10fc88ac
SHA-256: 50848076471f68928e9114b050523a2c7bb028d97050753f392a7920fb87105f
Size: 281.65 kB - nodejs-packaging-2021.06-5.module+el8+1952+34cf74eb.noarch.rpm
MD5: cde087f7270649be8bd4c361308ac533
SHA-256: 189a591482c286dd004ba68ea5ce103f9922c2dde86cc2b8b227acbee091ff0f
Size: 24.23 kB - nodejs-packaging-bundler-2021.06-5.module+el8+1952+34cf74eb.noarch.rpm
MD5: 9f2585239927326c60b7207e9820d97b
SHA-256: 29c896eacc3361c189ab9648a2098f1e91e21be672429b4aa131fc7b4300e37e
Size: 13.85 kB - npm-10.8.2-1.20.20.0.1.module+el8+1952+34cf74eb.x86_64.rpm
MD5: 386f0fadf86260069657178c8cd13b59
SHA-256: 44f52c89f8a9a2b43268d51effc2a2df7622411f6e8dfabe662977b9d543fc6b
Size: 2.02 MB
English