OESA-2026-1221

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.(CVE-2025-55130)

Node.js has released security updates addressing multiple vulnerabilities affecting its active release lines (20.x, 22.x, 24.x, 25.x). Key issues include: 1. CVE-2025-55131 (High): A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted using the vm module with the timeout option. Buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data, potentially leaking in-process secrets (tokens, passwords) or causing data corruption. 2. CVE-2025-55130 (High): A flaw in Node.js's Permissions model allows attackers to bypass 3. **CVE-2025-59465 (High)**: A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash due to an unhandled TLSSocket error, leading to a remote denial of service. 4. **CVE-2025-59466 (Medium)**: A bug in Node.js error handling makes "Maximum call stack size exceeded" errors uncatchable whenasync_hooks.createHook()is enabled, causing the process to terminate unrecoverably. 5. **CVE-2025-59464 (Medium)**: A memory leak in Node.js's OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer duringsocket.getPeerCertificate(true), allowing remote memory exhaustion. 6. **CVE-2026-21636 (Medium)**: A flaw in Node.js's permission model allows Unix Domain Socket connections to bypass network restrictions even without 7. CVE-2026-21637 (Medium): A flaw in Node.js TLS error handling allows synchronous exceptions thrown during pskCallback or ALPNCallback to bypass standard error handlers, causing process termination or file descriptor leaks. 8. CVE-2025-55132 (Low): A flaw in Node.js's permission model allows file timestamps to be changed via fs.futimes() even with only read permissions, potentially obscuring activity in logs.(CVE-2025-55131)

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.(CVE-2025-55132)

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) (CVE-2025-59465)

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.(CVE-2025-59466)

This is a security vulnerability that has been assigned a CVE identifier (CVE-2026-21637). Currently, in the vulnerability information from SUSE, the title, description, and relief fields are empty, and the list of affected packages is also empty. This indicates that the detailed information of this vulnerability may still be under investigation, assignment, or in a reserved state, and specific technical details, scope of impact, and attack vectors have not been publicly disclosed. It is recommended to monitor official security advisories for subsequent updates.(CVE-2026-21637)