Synopsis:
nodejs security updateSummary:
An update for nodejs is now available for openEuler-24.03-LTS-SP1Description:
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.
Security Fix(es):
A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.(CVE-2025-55130)
Node.js has released security updates addressing multiple vulnerabilities affecting its active release lines (20.x, 22.x, 24.x, 25.x). Key issues include:
vm module with the timeout option. Buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data, potentially leaking in-process secrets (tokens, passwords) or causing data corruption.async_hooks.createHook() is enabled,...20.18.2-5.oe2403sp120.18.2-5.oe2403sp120.18.2-5.oe2403sp120.18.2-5.oe2403sp120.18.2-5.oe2403sp120.18.2-5.oe2403sp120.18.2-5.oe2403sp110.8.2-1.20.18.2.5.oe2403sp111.3.244.8-1.20.18.2.5.oe2403sp1Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:H8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H