nodejs: Nodejs file permissions bypass

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

nodejs: Nodejs filesystem permissions bypass

A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-on...

Oracle Linux 10 : nodejs22 (ELSA-2026-1843)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-1843 advisory. 1:22.22.0-3 - Bump release to get correct RHEL build 1:22.22.0-2 - Filter for nodejs22.fmf in gating plan 1:22.22.0-1 - Update to 22.22.0 1:22.19.0-3 ...

RHEL 10 : nodejs22 (RHSA-2026:1843)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1843 advisory. Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an...

Oracle Linux 10 : nodejs24 (ELSA-2026-1842)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-1842 advisory. 1:24.13.0-1.0.1 - Update upstream references 1:24.13.0-1 - Update to 24.13.0 1:24.11.1-2 - makefile: change package manager to RH one Tenable has...

Linux Distros Unpatched Vulnerability : CVE-2026-25547

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of...

Critical Photon OS Security Update - PHSA-2026-5.0-0755

Updates of 'alsa-lib', 'nodejs' packages of Photon OS have been released...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1403)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1403 advisory. Bypass File System Permissions using crafted symlinks CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using th...

Photon OS 4.0: Nodejs PHSA-2026-4.0-0956

An update of the nodejs package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-0956. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

RHEL 10 : nodejs24 (RHSA-2026:1842)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1842 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an...

Important: nodejs20

Issue Overview: Bypass File System Permissions using crafted symlinks CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1402)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1402 advisory. Bypass File System Permissions using crafted symlinks CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using th...

CVE-2026-25547

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, t...

nodejs22 security update

1:22.22.0-3 - Bump release to get correct RHEL build 1:22.22.0-2 - Filter for nodejs22.fmf in gating plan 1:22.22.0-1 - Update to 22.22.0 1:22.19.0-3 - Unit-tests adjustment - disable internet/test-dgram-membership...

PT-2026-6213

Name of the Vulnerable Software and Affected Versions Compressing versions 1.10.3 and prior Compressing version 2.0.0 Description Compressing, a compressing and uncompressing library for Node.js, does not validate symbolic link targets when extracting TAR archives. This allows an attacker to embe...

ALSA-2026:1843 Important: nodejs22 security update

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

ALSA-2026:1842 Important: nodejs24 security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Critical Photon OS Security Update - PHSA-2026-4.0-0956

Updates of 'expat', 'nodejs' packages of Photon OS have been released...

@haxtheweb/create (>=0.1.3 <=25.0.2), @haxtheweb/haxcms-nodejs (>=0.0.2 <=25.0.0) +4 more potentially affected by CVE-2026-25521 via locutus (>=2.0.14 <=2.0.32)

locutus NPM version =2.0.14, =0.1.3, =0.0.2, =11.0.2, =2.1.1, =1.0.0, =1.0.66, =1.0.72 Source cves: CVE-2026-25521 Source advisory: SNYK:JS-LOCUTUS-15182766...

CVE-2025-59464 vulnerabilities

Vulnerabilities for packages: nodejs...