Vulnerability-Lookup

CVE-2025-55131 (GCVE-0-2025-55131)

Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-06-30 12:07

Summary

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Severity

7.1 (High)


                        
                          CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere

Assigner

hackerone

References

20 references

URL	Tags
https://nodejs.org/en/blog/vulnerability/december…
https://access.redhat.com/security/cve/CVE-2025-55131	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2431350	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:2899	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:1843	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:1842	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2422	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2421	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2420	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2768	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2767	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2864	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2783	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2782	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:2781	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7386	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7387	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6402	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6431	vendor-advisoryx_refsource_REDHAT

Impacted products

8 products

Vendor	Product	Version
nodejs	node	Affected: 20.19.6 , ≤ 20.19.6 (semver) Affected: 22.21.1 , ≤ 22.21.1 (semver) Affected: 24.12.0 , ≤ 24.12.0 (semver) Affected: 25.2.1 , ≤ 25.2.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver)
Red Hat	Red Hat Enterprise Linux AppStream EUS (v. 10.0)	cpe:/o:redhat:enterprise_linux_eus:10.0
Red Hat	Red Hat Enterprise Linux AppStream (v. 10)	cpe:/o:redhat:enterprise_linux:10.1
Red Hat	Red Hat Enterprise Linux AppStream (v. 8)	cpe:/a:redhat:enterprise_linux:8::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS (v.9.4)	cpe:/a:redhat:rhel_eus:9.4::appstream
Red Hat	Red Hat Enterprise Linux AppStream EUS (v.9.6)	cpe:/a:redhat:rhel_eus:9.6::appstream
Red Hat	Red Hat Enterprise Linux AppStream (v. 9)	cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Hardened Images	cpe:/a:redhat:hummingbird:1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55131",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T04:55:31.057208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T15:11:22.041Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-01-20T20:41:55.591Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-497",
                "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:07:17.759Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
          },
          {
            "name": "RHBZ#2431350",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431350"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55131.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2899"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1843"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:1842"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2422"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2421"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2420"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2768"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2767"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2864"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2783"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2782"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:2781"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7386"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7387"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:6402"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:6431"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:2899: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1843: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:1842: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2422: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2421: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2420: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2768: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2767: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2864: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2783: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2782: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:2781: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:7386: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:7387: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:6402: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:6431: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-01-20T21:02:45.759Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-01-20T20:41:55.591Z",
            "value": "Made public."
          }
        ],
        "title": "nodejs: Nodejs uninitialized memory exposure",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.19.6",
              "status": "affected",
              "version": "20.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.21.1",
              "status": "affected",
              "version": "22.21.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.12.0",
              "status": "affected",
              "version": "24.12.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.2.1",
              "status": "affected",
              "version": "25.2.1",
              "versionType": "semver"
            },
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-20T20:41:55.591Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2025-55131",
    "datePublished": "2026-01-20T20:41:55.591Z",
    "dateReserved": "2025-08-07T15:00:05.576Z",
    "dateUpdated": "2026-06-30T12:07:17.759Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-55131",
      "date": "2026-06-30",
      "epss": "0.03493",
      "percentile": "0.87681"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55131\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2026-01-20T21:16:03.320\",\"lastModified\":\"2026-06-30T03:16:52.677\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.\"},{\"lang\":\"es\",\"value\":\"Una falla en la l\u00f3gica de asignaci\u00f3n de b\u00faferes de Node.js puede exponer memoria no inicializada cuando las asignaciones son interrumpidas, al usar el m\u00f3dulo \u0027vm\u0027 con la opci\u00f3n de tiempo de espera. Bajo condiciones de tiempo espec\u00edficas, los b\u00faferes asignados con \u0027Buffer.alloc\u0027 y otras instancias de \u0027TypedArray\u0027 como \u0027Uint8Array\u0027 pueden contener datos residuales de operaciones anteriores, permitiendo que secretos en proceso como tokens o contrase\u00f1as se filtren o causando corrupci\u00f3n de datos. Si bien la explotaci\u00f3n normalmente requiere una sincronizaci\u00f3n precisa o la ejecuci\u00f3n de c\u00f3digo en proceso, puede volverse explotable de forma remota cuando una entrada no confiable influye en la carga de trabajo y los tiempos de espera, lo que lleva a un potencial impacto en la confidencialidad y la integridad.\"}],\"affected\":[{\"source\":\"support@hackerone.com\",\"affectedData\":[{\"vendor\":\"nodejs\",\"product\":\"node\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"20.19.6\",\"lessThanOrEqual\":\"20.19.6\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"22.21.1\",\"lessThanOrEqual\":\"22.21.1\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"24.12.0\",\"lessThanOrEqual\":\"24.12.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"25.2.1\",\"lessThanOrEqual\":\"25.2.1\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.0\",\"lessThan\":\"4.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.0\",\"lessThan\":\"5.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"6.0\",\"lessThan\":\"6.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"7.0\",\"lessThan\":\"7.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.0\",\"lessThan\":\"8.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"9.0\",\"lessThan\":\"9.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"10.0\",\"lessThan\":\"10.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"11.0\",\"lessThan\":\"11.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"12.0\",\"lessThan\":\"12.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"13.0\",\"lessThan\":\"13.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"14.0\",\"lessThan\":\"14.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"15.0\",\"lessThan\":\"15.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"16.0\",\"lessThan\":\"16.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"17.0\",\"lessThan\":\"17.*\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"18.0\",\"lessThan\":\"18.*\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:8::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Hardened Images\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:hummingbird:1\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":5.5}],\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":5.5}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-22T04:55:31.057208Z\",\"id\":\"CVE-2025-55131\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-120\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-497\"}]}],\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:1842\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:1843\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2420\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2421\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2422\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2767\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2768\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2781\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2782\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2783\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2864\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:2899\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:6402\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:6431\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:7386\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:7387\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-55131\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2431350\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55131.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"nodejs: Nodejs uninitialized memory exposure\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/o:redhat:enterprise_linux_eus:10.0\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AppStream EUS (v. 10.0)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10.1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AppStream (v. 10)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:8::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AppStream (v. 8)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_eus:9.4::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AppStream EUS (v.9.4)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_eus:9.6::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AppStream EUS (v.9.6)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:9::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AppStream (v. 9)\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:hummingbird:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Hardened Images\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-20T21:02:45.759Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-01-20T20:41:55.591Z\", \"value\": \"Made public.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"RHSA-2026:2899: Red Hat Enterprise Linux AppStream EUS (v. 10.0)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1843: Red Hat Enterprise Linux AppStream (v. 10)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:1842: Red Hat Enterprise Linux AppStream (v. 10)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2422: Red Hat Enterprise Linux AppStream (v. 8)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2421: Red Hat Enterprise Linux AppStream (v. 8)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2420: Red Hat Enterprise Linux AppStream (v. 8)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2768: Red Hat Enterprise Linux AppStream EUS (v.9.4)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2767: Red Hat Enterprise Linux AppStream EUS (v.9.6)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2864: Red Hat Enterprise Linux AppStream EUS (v.9.6)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2783: Red Hat Enterprise Linux AppStream (v. 9)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2782: Red Hat Enterprise Linux AppStream (v. 9)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:2781: Red Hat Enterprise Linux AppStream (v. 9)\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:7386: Red Hat Hardened Images\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:7387: Red Hat Hardened Images\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:6402: Red Hat Hardened Images\"}, {\"lang\": \"en\", \"value\": \"RHSA-2026:6431: Red Hat Hardened Images\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-01-20T20:41:55.591Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2025-55131\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2431350\", \"name\": \"RHBZ#2431350\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55131.json\", \"tags\": [\"x_sadp-csaf-vex\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2899\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1843\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:1842\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2422\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2421\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2420\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2768\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2767\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2864\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2783\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2782\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:2781\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:7386\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:7387\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:6402\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:6431\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A memory exposure flaw has been discovered in Node.js. A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-497\", \"description\": \"Exposure of Sensitive System Information to an Unauthorized Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-30T12:07:17.759Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55131\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T04:55:31.057208Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-120\", \"description\": \"CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-21T20:25:56.959Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\"}}], \"affected\": [{\"vendor\": \"nodejs\", \"product\": \"node\", \"versions\": [{\"status\": \"affected\", \"version\": \"20.19.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"20.19.6\"}, {\"status\": \"affected\", \"version\": \"22.21.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"22.21.1\"}, {\"status\": \"affected\", \"version\": \"24.12.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.12.0\"}, {\"status\": \"affected\", \"version\": \"25.2.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"25.2.1\"}, {\"status\": \"affected\", \"version\": \"4.0\", \"lessThan\": \"4.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"5.0\", \"lessThan\": \"5.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.0\", \"lessThan\": \"6.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"7.0\", \"lessThan\": \"7.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.0\", \"lessThan\": \"8.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0\", \"lessThan\": \"9.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"10.0\", \"lessThan\": \"10.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"11.0\", \"lessThan\": \"11.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.0\", \"lessThan\": \"12.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"13.0\", \"lessThan\": \"13.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"14.0\", \"lessThan\": \"14.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"15.0\", \"lessThan\": \"15.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"16.0\", \"lessThan\": \"16.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"17.0\", \"lessThan\": \"17.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.0\", \"lessThan\": \"18.*\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.\"}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2026-01-20T20:41:55.591Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55131\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T12:07:17.759Z\", \"dateReserved\": \"2025-08-07T15:00:05.576Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2026-01-20T20:41:55.591Z\", \"assignerShortName\": \"hackerone\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

alsa-2026:1842

Vulnerability from osv_almalinux

Published

2026-02-03 00:00

Modified

2026-02-06 17:30

Summary

Important: nodejs24 security update

Details

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:1842	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/10/ALSA-2026-1842.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "nodejs24-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-1.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "nodejs24-npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:11.6.2-1.24.13.0.1.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a platform built on Chrome\u0027s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.  \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:1842",
  "modified": "2026-02-06T17:30:15Z",
  "published": "2026-02-03T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:1842"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-1842.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs24 security update"
}

alsa-2026:1843

Vulnerability from osv_almalinux

Published

2026-02-03 00:00

Modified

2026-02-06 17:27

Summary

Important: nodejs22 security update

Details

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:1843	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/10/ALSA-2026-1843.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-3.el10_1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a platform built on Chrome\u0027s JavaScript runtime \\ for easily building fast, scalable network applications. \\ Node.js uses an event-driven, non-blocking I/O model that \\ makes it lightweight and efficient, perfect for data-intensive \\ real-time applications that run across distributed devices.  \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:1843",
  "modified": "2026-02-06T17:27:43Z",
  "published": "2026-02-03T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:1843"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-1843.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs22 security update"
}

alsa-2026:2420

Vulnerability from osv_almalinux

Published

2026-02-10 00:00

Modified

2026-02-12 10:19

Summary

Important: nodejs:24 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:2420	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/8/ALSA-2026-2420.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.3-1.module_el8.10.0+4061+f8ceeab9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-6.module_el8.10.0+4086+70facd4a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-6.module_el8.10.0+4086+70facd4a"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "v8-13.6-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:13.6.233.17-1.24.13.0.0.module_el8.10.0+4113+bc863bc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:2420",
  "modified": "2026-02-12T10:19:24Z",
  "published": "2026-02-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:2420"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-2420.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs:24 security update"
}

alsa-2026:2421

Vulnerability from osv_almalinux

Published

2026-02-10 00:00

Modified

2026-02-13 10:53

Summary

Important: nodejs:22 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:2421	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/8/ALSA-2026-2421.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1-1.module_el8.10.0+4006+3c416519"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el8.10.0+4085+6f807d30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el8.10.0+4085+6f807d30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:10.9.4-1.22.22.0.1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "v8-12.4-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:2421",
  "modified": "2026-02-13T10:53:31Z",
  "published": "2026-02-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:2421"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-2421.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs:22 security update"
}

alsa-2026:2422

Vulnerability from osv_almalinux

Published

2026-02-10 00:00

Modified

2026-02-12 10:15

Summary

Important: nodejs:20 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:2422	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/8/ALSA-2026-2422.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1-1.module_el8.10.0+3982+85c136aa"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el8.10.0+4084+7c0af990"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el8.10.0+4084+7c0af990"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:2422",
  "modified": "2026-02-12T10:15:50Z",
  "published": "2026-02-10T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:2422"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-2422.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs:20 security update"
}

alsa-2026:2781

Vulnerability from osv_almalinux

Published

2026-02-17 00:00

Modified

2026-02-18 13:51

Summary

Important: nodejs:24 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:2781	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/9/ALSA-2026-2781.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:24.13.0-1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.3-3.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-6.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-6.module_el9.7.0+198+8bf605ba"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:11.6.2-1.24.13.0.1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "v8-13.6-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:13.6.233.17-1.24.13.0.1.module_el9.7.0+209+ecf6523e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:2781",
  "modified": "2026-02-18T13:51:36Z",
  "published": "2026-02-17T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:2781"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-2781.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs:24 security update"
}

alsa-2026:2782

Vulnerability from osv_almalinux

Published

2026-02-17 00:00

Modified

2026-02-23 13:22

Summary

Important: nodejs:22 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:2782	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/9/ALSA-2026-2782.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:22.22.0-1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1-1.module_el9.6.0+172+f0ba00ec"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el9.7.0+196+ac40ca3b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:10.9.4-1.22.22.0.1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "v8-12.4-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:12.4.254.21-1.22.22.0.1.module_el9.7.0+208+fb06c0ab"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:2782",
  "modified": "2026-02-23T13:22:00Z",
  "published": "2026-02-17T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:2782"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-2782.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs:22 security update"
}

alsa-2026:2783

Vulnerability from osv_almalinux

Published

2026-02-17 00:00

Modified

2026-02-23 13:24

Summary

Important: nodejs:20 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)
nodejs: Nodejs denial of service (CVE-2026-21637)
nodejs: Nodejs denial of service (CVE-2025-59466)
nodejs: Nodejs denial of service (CVE-2025-59465)
nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)
nodejs: Nodejs file permissions bypass (CVE-2025-55130)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:2783	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-55130	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55131	REPORT
	https://access.redhat.com/security/cve/CVE-2025-55132	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59465	REPORT
	https://access.redhat.com/security/cve/CVE-2025-59466	REPORT
	https://access.redhat.com/security/cve/CVE-2026-21637	REPORT
	https://bugzilla.redhat.com/2431338	REPORT
	https://bugzilla.redhat.com/2431340	REPORT
	https://bugzilla.redhat.com/2431343	REPORT
	https://bugzilla.redhat.com/2431349	REPORT
	https://bugzilla.redhat.com/2431350	REPORT
	https://bugzilla.redhat.com/2431352	REPORT
	https://errata.almalinux.org/9/ALSA-2026-2783.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:20.20.0-1.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:20.20.0-1.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-docs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:20.20.0-1.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-full-i18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:20.20.0-1.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-nodemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1-1.module_el9.5.0+125+8dc38870"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "nodejs-packaging-bundler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2021.06-5.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "npm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:10.8.2-1.20.20.0.1.module_el9.7.0+207+84573810"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   \n\nSecurity Fix(es):  \n\n  * nodejs: Nodejs filesystem permissions bypass (CVE-2025-55132)\n  * nodejs: Nodejs denial of service (CVE-2026-21637)\n  * nodejs: Nodejs denial of service (CVE-2025-59466)\n  * nodejs: Nodejs denial of service (CVE-2025-59465)\n  * nodejs: Nodejs uninitialized memory exposure (CVE-2025-55131)\n  * nodejs: Nodejs file permissions bypass (CVE-2025-55130)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:2783",
  "modified": "2026-02-23T13:24:32Z",
  "published": "2026-02-17T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:2783"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55130"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-55132"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59465"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-59466"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-21637"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431340"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431343"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431349"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431350"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2431352"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2026-2783.html"
    }
  ],
  "related": [
    "CVE-2025-55132",
    "CVE-2026-21637",
    "CVE-2025-59466",
    "CVE-2025-59465",
    "CVE-2025-55131",
    "CVE-2025-55130"
  ],
  "summary": "Important: nodejs:20 security update"
}

BDU:2026-00546

Vulnerability from fstec - Published: 13.01.2026

Title

Уязвимость программной платформы Node.js, связанная с ошибками межграничного удаления критичных данных, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Description

Уязвимость программной платформы Node.js связана с ошибками межграничного удаления критичных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на конфиденциальность и целостность защищаемой информации

Severity


                    
                      AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Node.js Foundation

Software Name

Node.js

Software Version

до 24.13.0 (LTS) (Node.js)

Possible Mitigations

Использование рекомендаций производителя: https://nodejs.org/en/blog/release/v24.13.0

Reference

https://nodejs.org/en/blog/release/v24.13.0 https://www.tenable.com/cve/CVE-2025-55131

CWE

CWE-226

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "TO2475, TO2476, TO2477, TO2478, TO2479, TO2480, TO2481, TO2482, TO2483, TO2484, TO2485, TO2486, TO2487, TO2488, TO2489, TO2490",
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": "TO2475 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2476 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2477 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2478 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2479 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2480 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2481 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2482 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2483 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2484 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2485 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2486 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2487 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2488 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2489 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js, TO2490 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Node.js",
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Node.js Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 24.13.0 (LTS) (Node.js)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://nodejs.org/en/blog/release/v24.13.0",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "13.01.2026",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "19.01.2026",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "19.01.2026",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2026-00546",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-55131",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Node.js",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Node.js, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043c\u0435\u0436\u0433\u0440\u0430\u043d\u0438\u0447\u043d\u043e\u0433\u043e \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u044f \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0441\u0442\u044c \u0438 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0432 \u0438\u0442\u043e\u0433\u043e\u0432\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 \u041f\u041e (CWE-226)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Node.js \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043c\u0435\u0436\u0433\u0440\u0430\u043d\u0438\u0447\u043d\u043e\u0433\u043e \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u044f \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0441\u0442\u044c \u0438 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nodejs.org/en/blog/release/v24.13.0\nhttps://www.tenable.com/cve/CVE-2025-55131",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-226",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,1)"
}

bit-node-2025-55131

Vulnerability from bitnami_vulndb

Published

2026-01-26 14:47

Modified

2026-01-26 15:09

Summary

Details

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "node",
        "purl": "pkg:bitnami/node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.20.0"
            },
            {
              "introduced": "21.0.0"
            },
            {
              "fixed": "22.22.0"
            },
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "24.13.0"
            },
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.3.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55131"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
  },
  "details": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.",
  "id": "BIT-node-2025-55131",
  "modified": "2026-01-26T15:09:56.435Z",
  "published": "2026-01-26T14:47:51.686Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55131"
    }
  ],
  "schema_version": "1.6.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-55131 (GCVE-0-2025-55131)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature