OESA-2025-1199

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1199

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2025-1199.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2025-1199

Upstream

CVE-2024-22018

CVE-2024-22020

Published

2025-02-28T15:33:01Z

Modified

2025-08-12T05:41:59.970026Z

Summary

nodejs security update

Details

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.(CVE-2024-22018)

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.(CVE-2024-22020)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:24.03-LTS / nodejs

Package

Name: nodejs
Purl: pkg:rpm/openEuler/nodejs&distro=openEuler-24.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.18.2-1.oe2403

Ecosystem specific

{
    "x86_64": [
        "nodejs-20.18.2-1.oe2403.x86_64.rpm",
        "nodejs-debuginfo-20.18.2-1.oe2403.x86_64.rpm",
        "nodejs-debugsource-20.18.2-1.oe2403.x86_64.rpm",
        "nodejs-devel-20.18.2-1.oe2403.x86_64.rpm",
        "nodejs-full-i18n-20.18.2-1.oe2403.x86_64.rpm",
        "nodejs-libs-20.18.2-1.oe2403.x86_64.rpm",
        "npm-10.8.2-1.20.18.2.1.oe2403.x86_64.rpm",
        "v8-devel-11.3.244.8-1.20.18.2.1.oe2403.x86_64.rpm"
    ],
    "noarch": [
        "nodejs-docs-20.18.2-1.oe2403.noarch.rpm"
    ],
    "aarch64": [
        "nodejs-20.18.2-1.oe2403.aarch64.rpm",
        "nodejs-debuginfo-20.18.2-1.oe2403.aarch64.rpm",
        "nodejs-debugsource-20.18.2-1.oe2403.aarch64.rpm",
        "nodejs-devel-20.18.2-1.oe2403.aarch64.rpm",
        "nodejs-full-i18n-20.18.2-1.oe2403.aarch64.rpm",
        "nodejs-libs-20.18.2-1.oe2403.aarch64.rpm",
        "npm-10.8.2-1.20.18.2.1.oe2403.aarch64.rpm",
        "v8-devel-11.3.244.8-1.20.18.2.1.oe2403.aarch64.rpm"
    ],
    "src": [
        "nodejs-20.18.2-1.oe2403.src.rpm"
    ]
}