nodejs:20 security update
エラータID: AXSA:2026-220:01
リリース日:
2026/02/25 Wednesday - 21:03
題名:
nodejs:20 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js には、ファイルのアクセス権限の処理に不備があるため、
ローカルの攻撃者により、任意のファイルの読み込み、および書き込み
を可能とする脆弱性が存在します。(CVE-2025-55130)
- Node.js のバッファーの割り当てロジックには、タイムアウト
オプションを指定したうえで vm モジュールを利用している場合、
初期化されていないメモリ領域が割り当てられる問題があるため、
リモートの攻撃者により、割り当ての中断を介して、初期化前のメモリ
内容の漏洩を可能とする脆弱性が存在します。(CVE-2025-55131)
- Node.js のパーミッションモデルには、対象のプロセスが読み取り
権限のみ付与されている場合においても、futimes() 関数を利用して
意図せずファイルのアクセス権限およびタイムスタンプを変更できて
しまう問題があるため、ローカルの攻撃者により、タイムスタンプの
改ざん、および情報の漏洩を可能とする脆弱性が存在します。
(CVE-2025-55132)
- Node.js の TLS 接続の処理には、想定外の ECONNRESET エラーが
発生してしまう問題があるため、リモートの攻撃者により、不正な形式
の HTTP/2 HEADERS フレームと、大きすぎる HPACK データを持つように
細工されたデータの処理を介して、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2025-59465)
- Node.js のエラーハンドラには、async_hooks.createHook() 関数に
よるフックを有効化した場合、利用できるスタック領域のサイズの制限
を超過したことを検知できなくなることに起因したスタックオーバー
フローの問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2025-59466)
- Node.js の TLS 処理スタックの pskCallback または ALPNCallback
を用いたエラーハンドラには、ファイルディスクリプタをリークさせて
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(TLS サーバーのクラッシュの発生、リソースの枯渇) を可能とする
脆弱性が存在します。(CVE-2026-21637)
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-55130
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-55131
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVE-2025-55132
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1131+70c93167.src.rpm
MD5: c6980f3cf74a781bf32a9e156447eda1
SHA-256: cf6236d6e9be206b6c22f3d24fbb0d3004fdd4ea43048de8c99e83c38494c623
Size: 339.27 kB - nodejs-packaging-2021.06-5.module+el9+1131+70c93167.src.rpm
MD5: 611d735779fea521556825f4c16ce348
SHA-256: ba2af7e3fa497e38cc4809499ac3a2bc82059009d59b6c7d06fed86d07e044a7
Size: 25.17 kB - nodejs-20.20.0-1.module+el9+1131+70c93167.src.rpm
MD5: 97c5e71e4eeadc46157ada0e7964148d
SHA-256: 48f4c04ff07eceed8c4c5374dd3ba70c37c0a004ce15d83acdb77f57e436f463
Size: 82.88 MB
Asianux Server 9 for x86_64
- nodejs-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 271420b6c8c055c4ec374f5ee59fbc09
SHA-256: db7a420b7f778267899898aca14aa89bf9facad434f9e0152ac6b21ae86bb055
Size: 14.13 MB - nodejs-debugsource-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 1003d921fe4734b7d597b81172c1b886
SHA-256: 889b7064c239ab20c0618afe28653cd6bcfab9dc834c1a28ef7115322db0a56b
Size: 12.68 MB - nodejs-devel-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 6f18d1c37a65bfae5839c7326854d865
SHA-256: 09754dd32c72dff5b54becf945cc54498a9cfe009273d8e46701c2ca8e67b557
Size: 258.85 kB - nodejs-docs-20.20.0-1.module+el9+1131+70c93167.noarch.rpm
MD5: 4dc6e6f42dc8e81b01b6d711fafd77c6
SHA-256: fb84580771e095690d4e92777d9afb3450bb7d7328a84714b4c5accef175698f
Size: 8.62 MB - nodejs-full-i18n-20.20.0-1.module+el9+1131+70c93167.x86_64.rpm
MD5: 1aef56877f6efd2300bb0ae5714681b9
SHA-256: e857f431b11e1c5b29ff8c86b8ffb9ecc658b82947f3a17d91325dedf2bcada4
Size: 8.60 MB - nodejs-nodemon-3.0.1-1.module+el9+1131+70c93167.noarch.rpm
MD5: 6f976d85fc3b8934a7758df87aa5803b
SHA-256: 998f1e95bc9675132b7742618a7a6af51edbde2167b025dac3a14adc981a1128
Size: 332.32 kB - nodejs-packaging-2021.06-5.module+el9+1131+70c93167.noarch.rpm
MD5: edc732760c244412e603d5b61f248f60
SHA-256: 6456c950372eb9a0fd2a7a53352c8ef22fbc673f5110599fd1d8e23aa1a634e5
Size: 18.50 kB - nodejs-packaging-bundler-2021.06-5.module+el9+1131+70c93167.noarch.rpm
MD5: 19643e585f65180af707723801b9d95c
SHA-256: a4ce180bd77769c1b8c52ed54687fb72363e2c4edb793b18ac79e14950be35ff
Size: 8.34 kB - npm-10.8.2-1.20.20.0.1.module+el9+1131+70c93167.x86_64.rpm
MD5: bc5337b42de3a69e6628bc26385d7a9a
SHA-256: 6020d1affc3d9599055bbba1aac00bc2df8a4b267b7a9ee7d800d126ab80369c
Size: 2.22 MB
English