Incomplete List of Disallowed Inputs

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the NodeVM builtin allowlist in lib/builtin.js. An attacker can read host-process state by...

ROS-20260401-73-0034

A vulnerability in the createHook function of the asynchooks module of the Node.js software platform is related to uncontrolled recursion. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

nodejs: Nodejs denial of service

A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...

openSUSE 16 Security Update : nodejs22 (openSUSE-SU-2026:20236-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20236-1 advisory. Update to 22.22.0: - CVE-2025-55130: file system permissions bypass via crafted symlinks bsc1256569. - CVE-2025-55131: timeout-based race...

Security update for nodejs20

This update for nodejs20 fixes the following issues: Update to 20.20.0: CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 CVE-2025-59465: Add TLSSocket default error handler bsc1256573 CVE-2025-55132: Disable futimes when permission model is enabled bsc1256571 CVE-2025-55130: Require full read...

SUSE-SU-2026:0457-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: - Update to 20.20.0: - CVE-2026-22036: Updated undici to 6.23.0 bsc1256848 - CVE-2025-59465: Add TLSSocket default error handler bsc1256573 - CVE-2025-55132: Disable futimes when permission model is enabled bsc1256571 - CVE-2025-55130: Require...

CVE-2025-59466

Summary: CVE-2025-59466 describes an issue in Node.js error handling where uncatchable stack-overflow crashes occur when async_hooks.createHook() is enabled. The crash bypasses uncaughtException handling and can cause process termination under deep recursion, affecting applications using AsyncLoc...

CVE-2025-59466

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Overview Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when asynchooks or AsyncLocalStorage is enabled. Normally, a "Maximum call stack size exceeded" error stack overflow is catchable by...