MiracleLinux 8 : nodejs:20 (AXSA:2025-9674:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-9674:01 advisory. undici: Undici Uses Insufficiently Random Values CVE-2025-22150 nodejs: Node.js Worker Thread Exposure via Diagnostics Channel CVE-2025-23083 nodejs...

MiracleLinux 8 : nodejs:20 (AXSA:2025-10000:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10000:01 advisory. nodejs: Remote Crash via SignTraits::DeriveBits in Node.js CVE-2025-23166 Tenable has extracted the preceding description block directly from the MiracleLin...

MiracleLinux 9 : nodejs:22 (AXSA:2025-10673:01)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10673:01 advisory. sqlite: Integer Truncation in SQLite CVE-2025-6965 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory...

MiracleLinux 8 : nodejs:22 (AXSA:2025-9926:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-9926:01 advisory. c-ares: c-ares has a use-after-free in readanswers CVE-2025-31498 SQLite: integer overflow in SQLite CVE-2025-3277 Tenable has extracted the precedi...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2025-1346)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1346 advisory. Use after free due to connection being cleaned up after error CVE-2025-62408 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus h...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2025-1348)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1348 advisory. Use after free due to connection being cleaned up after error CVE-2025-62408 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus h...

Medium: nodejs24

Issue Overview: Use after free due to connection being cleaned up after error CVE-2025-62408 Affected Packages: nodejs24 Issue Correction: Run dnf update nodejs24 --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1348 --releasever 2023.10.20260105 to update your system. More...

Medium: nodejs22

Issue Overview: Use after free due to connection being cleaned up after error CVE-2025-62408 Affected Packages: nodejs22 Issue Correction: Run dnf update nodejs22 --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1347 --releasever 2023.10.20260105 to update your system. More...

Medium: nodejs20

Issue Overview: Use after free due to connection being cleaned up after error CVE-2025-62408 Affected Packages: nodejs20 Issue Correction: Run dnf update nodejs20 --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1346 --releasever 2023.10.20260105 to update your system. More...

AlmaLinux 10 : nodejs22 (ALSA-2025:8493)

The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:8493 advisory. nodejs: Remote Crash via SignTraits::DeriveBits in Node.js CVE-2025-23166 Tenable has extracted the preceding description block directly from the AlmaLinux securi...

Medium: nodejs22

Issue Overview: There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVE-2025-6965 Affected Packages: nodejs2...

SUSE CVE-2025-27209

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even witho...

SUSE-SU-2025:02039-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: Update to 20.19.2: - CVE-2025-23166: improper error handling in async cryptographic operations crashes process bsc1243218. - CVE-2025-23167: improper HTTP header block termination in llhttp bsc1243220. - CVE-2025-23165: add missing call to...

Important: nodejs22

Issue Overview: Corrupted pointer in node::fs::ReadFileUtf8const FunctionCallbackInfo& args when args0 is a string, resulting in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Info:...

AZL-65063 CVE-2025-23167 affecting package nodejs18 18.20.3-11

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

AZL-61914 CVE-2025-23167 affecting package nodejs 20.14.0-13

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

DEBIAN-CVE-2025-23167

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

Medium: nodejs22

Issue Overview: An issue in sqlite v.3.49.0 allows an attacker to cause a denial of service via the SQLITEDBCONFIGLOOKASIDE component CVE-2025-29088 Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function...

Medium: nodejs20

Issue Overview: c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in readanswers when processanswer may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if t...

Important: nodejs20

Issue Overview: Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values...