SUSE-SU-2026:1299-1
Vulnerability from csaf_suse - Published: 2026-04-13 15:54 - Updated: 2026-04-13 15:54Summary
Security update for nodejs24
Severity
Important
Notes
Title of the patch: Security update for nodejs24
Description of the patch: This update for nodejs24 fixes the following issues:
- Update to 24.14.1
- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
- CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455).
- CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460).
- CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463).
- CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480).
- CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482).
- CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462).
- CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494).
Patchnames: SUSE-2026-1299,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
6.5 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.6 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.9 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
6.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs24",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs24 fixes the following issues:\n\n- Update to 24.14.1\n- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).\n- CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455).\n- CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460).\n- CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463).\n- CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480).\n- CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482).\n- CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462).\n- CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1299,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1299-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1299-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261299-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1299-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045503.html"
},
{
"category": "self",
"summary": "SUSE Bug 1256572",
"url": "https://bugzilla.suse.com/1256572"
},
{
"category": "self",
"summary": "SUSE Bug 1256576",
"url": "https://bugzilla.suse.com/1256576"
},
{
"category": "self",
"summary": "SUSE Bug 1260455",
"url": "https://bugzilla.suse.com/1260455"
},
{
"category": "self",
"summary": "SUSE Bug 1260460",
"url": "https://bugzilla.suse.com/1260460"
},
{
"category": "self",
"summary": "SUSE Bug 1260462",
"url": "https://bugzilla.suse.com/1260462"
},
{
"category": "self",
"summary": "SUSE Bug 1260463",
"url": "https://bugzilla.suse.com/1260463"
},
{
"category": "self",
"summary": "SUSE Bug 1260480",
"url": "https://bugzilla.suse.com/1260480"
},
{
"category": "self",
"summary": "SUSE Bug 1260482",
"url": "https://bugzilla.suse.com/1260482"
},
{
"category": "self",
"summary": "SUSE Bug 1260494",
"url": "https://bugzilla.suse.com/1260494"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-59464 page",
"url": "https://www.suse.com/security/cve/CVE-2025-59464/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21637 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21637/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21710 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21710/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21712 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21712/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21713 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21713/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21714 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21714/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21715 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21715/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21716 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21716/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21717 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21717/"
}
],
"title": "Security update for nodejs24",
"tracking": {
"current_release_date": "2026-04-13T15:54:45Z",
"generator": {
"date": "2026-04-13T15:54:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1299-1",
"initial_release_date": "2026-04-13T15:54:45Z",
"revision_history": [
{
"date": "2026-04-13T15:54:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.aarch64",
"product_id": "corepack24-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"product_id": "nodejs24-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.aarch64",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.aarch64",
"product_id": "npm24-24.14.1-150700.15.8.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.i586",
"product_id": "corepack24-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.i586",
"product_id": "nodejs24-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.i586",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.i586",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.i586"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.i586",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.i586",
"product_id": "npm24-24.14.1-150700.15.8.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"product": {
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"product_id": "nodejs24-docs-24.14.1-150700.15.8.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "corepack24-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "nodejs24-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.ppc64le",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.ppc64le",
"product_id": "npm24-24.14.1-150700.15.8.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.s390x",
"product_id": "corepack24-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.s390x",
"product_id": "nodejs24-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.s390x"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.s390x",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.s390x",
"product_id": "npm24-24.14.1-150700.15.8.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "corepack24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "corepack24-24.14.1-150700.15.8.1.x86_64",
"product_id": "corepack24-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"product_id": "nodejs24-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"product_id": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm24-24.14.1-150700.15.8.1.x86_64",
"product": {
"name": "npm24-24.14.1-150700.15.8.1.x86_64",
"product_id": "npm24-24.14.1-150700.15.8.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "nodejs24-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-24.14.1-150700.15.8.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch"
},
"product_reference": "nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm24-24.14.1-150700.15.8.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
},
"product_reference": "npm24-24.14.1-150700.15.8.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59464",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-59464"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak in Node.js\u0027s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-59464",
"url": "https://www.suse.com/security/cve/CVE-2025-59464"
},
{
"category": "external",
"summary": "SUSE Bug 1256572 for CVE-2025-59464",
"url": "https://bugzilla.suse.com/1256572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2025-59464"
},
{
"cve": "CVE-2026-21637",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21637"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21637",
"url": "https://www.suse.com/security/cve/CVE-2026-21637"
},
{
"category": "external",
"summary": "SUSE Bug 1256576 for CVE-2026-21637",
"url": "https://bugzilla.suse.com/1256576"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21637"
},
{
"cve": "CVE-2026-21710",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21710"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21710",
"url": "https://www.suse.com/security/cve/CVE-2026-21710"
},
{
"category": "external",
"summary": "SUSE Bug 1260455 for CVE-2026-21710",
"url": "https://bugzilla.suse.com/1260455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "important"
}
],
"title": "CVE-2026-21710"
},
{
"cve": "CVE-2026-21712",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21712"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21712",
"url": "https://www.suse.com/security/cve/CVE-2026-21712"
},
{
"category": "external",
"summary": "SUSE Bug 1260460 for CVE-2026-21712",
"url": "https://bugzilla.suse.com/1260460"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21712"
},
{
"cve": "CVE-2026-21713",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21713"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21713",
"url": "https://www.suse.com/security/cve/CVE-2026-21713"
},
{
"category": "external",
"summary": "SUSE Bug 1260463 for CVE-2026-21713",
"url": "https://bugzilla.suse.com/1260463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21713"
},
{
"cve": "CVE-2026-21714",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21714"
}
],
"notes": [
{
"category": "general",
"text": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21714",
"url": "https://www.suse.com/security/cve/CVE-2026-21714"
},
{
"category": "external",
"summary": "SUSE Bug 1260480 for CVE-2026-21714",
"url": "https://bugzilla.suse.com/1260480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21714"
},
{
"cve": "CVE-2026-21715",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21715"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21715",
"url": "https://www.suse.com/security/cve/CVE-2026-21715"
},
{
"category": "external",
"summary": "SUSE Bug 1260482 for CVE-2026-21715",
"url": "https://bugzilla.suse.com/1260482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "low"
}
],
"title": "CVE-2026-21715"
},
{
"cve": "CVE-2026-21716",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21716"
}
],
"notes": [
{
"category": "general",
"text": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21716",
"url": "https://www.suse.com/security/cve/CVE-2026-21716"
},
{
"category": "external",
"summary": "SUSE Bug 1260462 for CVE-2026-21716",
"url": "https://bugzilla.suse.com/1260462"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21716"
},
{
"cve": "CVE-2026-21717",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21717"
}
],
"notes": [
{
"category": "general",
"text": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21717",
"url": "https://www.suse.com/security/cve/CVE-2026-21717"
},
{
"category": "external",
"summary": "SUSE Bug 1260494 for CVE-2026-21717",
"url": "https://bugzilla.suse.com/1260494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-devel-24.14.1-150700.15.8.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs24-docs-24.14.1-150700.15.8.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm24-24.14.1-150700.15.8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T15:54:45Z",
"details": "moderate"
}
],
"title": "CVE-2026-21717"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…