MGASA-2026-0009

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2026-0009.html

Import Source

https://advisories.mageia.org/MGASA-2026-0009.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2026-0009

Related

Published

2026-01-17T02:48:20Z

Modified

2026-01-30T02:31:18.225867Z

Summary

Updated nodejs packages fix security vulnerabilities

Details

Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame. (CVE-2025-59465) Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers. (CVE-2025-59466) Bypass File System Permissions using crafted symlinks. (CVE-2025-55130) Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled. (CVE-2025-55131) fs.futimes() Bypasses Read-Only Permission Model. (CVE-2025-55132) TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak. (CVE-2026-21637)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/mageia/nodejs?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.22.0-1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2026-0009.json"