nodejs:18 security, bug fix, and enhancement update

An update is available for nodejs-packaging, module.nodejs-packaging. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform...

AZL-70604 CVE-2025-13224 affecting package nodejs 20.14.0-13

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

AZL-76323 CVE-2025-13042 affecting package nodejs24 24.13.0-3

Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

AZL-69902 CVE-2025-11219 affecting package nodejs18 18.20.3-11

Use after free in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Chromium security severity: Low...

EUVD-2021-0889

Malware in sbrugna...

RockyLinux 8 : nodejs:22 (RLSA-2025:11803)

The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:11803 advisory. sqlite: Integer Truncation in SQLite CVE-2025-6965 Tenable has extracted the preceding description block directly from the RockyLinux security advisory. Note tha...

Linux Distros Unpatched Vulnerability : CVE-2017-18869

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via...

CVE-2025-54127 HAXcms's Insecure Default Configuration Leads to Unauthenticated Access

HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authenticati...

AZL-63881 CVE-2025-5889 affecting package nodejs18 for versions less than 18.20.3-9

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely...

AZL-58362 CVE-2025-2137 affecting package nodejs 20.14.0-13

Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Chromium security severity: Medium...

CVE-2025-23085 affecting package nodejs for versions less than 20.14.0-5

CVE-2025-23085 affecting package nodejs for versions less than 20.14.0-5. A patched version of the package is available...

Oracle Linux 8 : nodejs:22 (ELSA-2025-1611)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-1611 advisory. - Upgrade to version 22.13.1 Fixes CVE-2025-23083 CVE-2025-23085 CVE-2025-22150 Resolves: RHEL-76362 RHEL-76897 Tenable has extracted the preceding...

RHSA-2025:1446 Red Hat Security Advisory: nodejs:18 security update

Bulletin has no description...

Azure Linux 3.0 Security Update: nodejs / nodejs18 (CVE-2024-30261)

The version of nodejs / nodejs18 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-30261 advisory. - Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integri...

Azure Linux 3.0 Security Update: fluent-bit / nghttp2 / nodejs / nodejs18 (CVE-2024-28182)

The version of fluent-bit / nghttp2 / nodejs / nodejs18 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-28182 advisory. - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 ...

DEBIAN-CVE-2024-42461

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed...

AZL-39773 CVE-2024-30261 affecting package nodejs for versions less than 20.14.0-1

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch, allowing fetch to accept requests as valid even if they have been tampered. This vulnerability was patched in versions 5.28.4 and 6.11.1...

AZL-37121 CVE-2024-28863 affecting package nodejs18 for versions less than 18.20.3-1

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few...

AZL-26940 CVE-2023-31130 affecting package nodejs18 for versions less than 18.17.1-2

c-ares is an asynchronous resolver library. aresinetnetpton is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to...

AZL-26875 CVE-2023-31147 affecting package nodejs18 for versions less than 18.17.1-2

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...