This update for nodejs20 fixes the following issues:
Update to version 20.20.2.
- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for
performance degradation via a crafted request (bsc#1260494).
- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file
permissions and ownership on already-open file descriptors (bsc#1260462).
- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and
filesystem path enumeration via
fs.realpathSync.native() (bsc#1260482).
- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via
WINDOW_UPDATE frames sent
on stream 0 (bsc#1260480).
- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and
potential MAC forgery (bsc#1260463).
- CVE-2026-21710: uncaught
TypeError when handling HTTP requests allows for a process crash via requests with a
header named __proto__ when the application accesses req.headersDistinct (bsc#1260455).
- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when
pskCallback or
ALPNCallback are in use (bsc#1256576).