This update for nodejs22 fixes the following issues:
Update to 22.22.0:
- CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).
- CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).
- CVE-2025-55132: a file's access and modification timestamps can be changed via
futimes() even when the process has only read permissions (bsc#1256571).
- CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).
- CVE-2025-59466: uncatchable "Maximum call stack size exceeded" error when
async_hooks.createHook() is enabled can lead to crash (bsc#1256574).
- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
- CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).
For full changelog, please see https://nodejs.org/en/blog