Node.js 20.x < 20.20.0 / 22.x < 22.22.0 / 24.x < 24.13.0 / 24.x < 24.13.0 / 25.x < 25.3.0 Multiple Vulnerabilities (Tuesday, January 13, 2026 Security Releases).

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(282656);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id(
    "CVE-2025-55130",
    "CVE-2025-55131",
    "CVE-2025-55132",
    "CVE-2025-59464",
    "CVE-2025-59465",
    "CVE-2025-59466",
    "CVE-2026-21636",
    "CVE-2026-21637"
  );
  script_xref(name:"IAVB", value:"2026-B-0013-S");

  script_name(english:"Node.js 20.x < 20.20.0 / 22.x < 22.22.0 / 24.x < 24.13.0 / 24.x < 24.13.0 / 25.x < 25.3.0 Multiple Vulnerabilities (Tuesday, January 13, 2026 Security Releases).");

  script_set_attribute(attribute:"synopsis", value:
"Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Node.js installed on the remote host is prior to 20.20.0, 22.22.0, 24.13.0, 24.13.0, 25.3.0. It is,
therefore, affected by multiple vulnerabilities as referenced in the Tuesday, January 13, 2026 Security Releases
advisory.

  - A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via
    futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the
    expected write-permission checks, which means file metadata can be modified in read-only directories. This
    behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs
    (CVE-2025-55132)

  - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are
    interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers
    allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from
    previous operations, allowing in-process secrets like tokens or passwords to leak or causing data
    corruption. While exploitation typically requires precise timing or in-process code execution, it can
    become remotely exploitable when untrusted input influences workload and timeouts, leading to potential
    confidentiality and integrity impact. Impact: Thank you, to Nikita Skovoroda for reporting and fixing this
    vulnerability. (CVE-2025-55131)

  - A flaw in Node.js's Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write
    restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted
    access only to the current directory can escape the allowed path and read sensitive files. This breaks the
    expected isolation guarantees and enables arbitrary file read/write, leading to potential system
    compromise. Impact: Thank you, to natann for reporting this vulnerability and thank you RafaelGSS for
    fixing it. (CVE-2025-55130)

  - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by
    triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process
    crashes, enabling a remote denial of service. This primarily affects applications that do not attach
    explicit error handlers to secure sockets, for example: server.on('secureConnection', socket => {
    socket.on('error', err => { console.log(err); }); }); JavaScriptCopy to clipboard Impact: Thank you, to
    dantt for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-59465)

  - We have identified a bug in Node.js error handling where Maximum call stack size exceeded errors become
    uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'),
    the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22,
    v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered
    by deep recursion under specific conditions. This patch improves recoverability in one edge case, but it
    does not remove the broader risk. Recovery from space exhaustion is unspecified, besteffort behavior and
    is not a reliable basis for availability or security. In availabilitycritical paths where recursion depth
    may be influenced by untrusted input, prefer input validation and designs that bound or avoid recursion
    rather than depending on stack space exhaustion behavior or the lack of tailcall optimizations in the
    runtime/engine. See this blog post for details. Impact: Thank you, to Andrew MacPherson (AndrewMohawk) for
    identifying & aaron_vercel for reporting this vulnerability and thank you mcollina for fixing it.
    (CVE-2025-59466)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://nodejs.org/en/blog/vulnerability/december-2025-security-releases/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a8cc39ad");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Node.js version 20.20.0 / 22.22.0 / 24.13.0 / 24.13.0 / 25.3.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-21636");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nodejs_win_installed.nbin", "nodejs_installed_nix.nbin", "macosx_nodejs_installed.nbin");
  script_require_keys("installed_sw/Node.js");

  exit(0);
}

include('vcf.inc');

var win_local = FALSE;
var os = get_kb_item_or_exit('Host/OS');
if ('windows' >< tolower(os)) win_local = TRUE;

var app_info = vcf::get_app_info(app:'Node.js', win_local:win_local);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'min_version' : '20.0.0', 'fixed_version' : '20.20.0' },
  { 'min_version' : '22.0.0', 'fixed_version' : '22.22.0' },
  { 'min_version' : '24.0.0', 'fixed_version' : '24.13.0' },
  { 'min_version' : '24.12.0.', 'fixed_version' : '24.13.0' },
  { 'min_version' : '25.0.0', 'fixed_version' : '25.3.0' }
];
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);