CVE-2026-25651 client-certificate-auth has an Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect

client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Hos...

RLSA-2026:1842 Important: nodejs24 security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

nodejs22 security update

An update is available for nodejs22. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a platform built on Chrome's JavaScript runtime \ for easily...

nodejs24 security update

An update is available for nodejs24. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a platform built on Chrome's JavaScript runtime for easily...

CVE-2026-24884

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

RockyLinux 10 : nodejs24 (RLSA-2026:1842)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:1842 advisory. nodejs: Nodejs filesystem permissions bypass CVE-2025-55132 nodejs: Nodejs denial of service CVE-2026-21637 nodejs: Nodejs denial of service...

CVE-2025-55131 affecting package nodejs18 for versions less than 18.20.3-11

CVE-2025-55131 affecting package nodejs18 for versions less than 18.20.3-11. A patched version of the package is available...

nodejs: Nodejs file permissions bypass

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

Important: Red Hat Security Advisory: nodejs22 security update

An update for nodejs22 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

nodejs: Nodejs filesystem permissions bypass

A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-on...

nodejs: Nodejs file permissions bypass

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1402)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1402 advisory. Bypass File System Permissions using crafted symlinks CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using th...

RHEL 10 : nodejs22 (RHSA-2026:1843)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1843 advisory. Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1403)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1403 advisory. Bypass File System Permissions using crafted symlinks CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using th...

Photon OS 4.0: Nodejs PHSA-2026-4.0-0956

An update of the nodejs package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-0956. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

Oracle Linux 10 : nodejs22 (ELSA-2026-1843)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-1843 advisory. 1:22.22.0-3 - Bump release to get correct RHEL build 1:22.22.0-2 - Filter for nodejs22.fmf in gating plan 1:22.22.0-1 - Update to 22.22.0 1:22.19.0-3 ...

Important: nodejs20

Issue Overview: Bypass File System Permissions using crafted symlinks CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated...

Linux Distros Unpatched Vulnerability : CVE-2026-25547

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of...

RHEL 10 : nodejs24 (RHSA-2026:1842)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1842 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an...

Oracle Linux 10 : nodejs24 (ELSA-2026-1842)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-1842 advisory. 1:24.13.0-1.0.1 - Update upstream references 1:24.13.0-1 - Update to 24.13.0 1:24.11.1-2 - makefile: change package manager to RH one Tenable has...