Overview

File _patchinfo of Package patchinfo.42547

<patchinfo incident="42547">
  <issue tracker="bnc" id="1256569">VUL-0: CVE-2025-55130: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs22,nodejs8: file system permissions bypass via crafted symlinks</issue>
  <issue tracker="bnc" id="1256574">VUL-0: CVE-2025-59466: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs22,nodejs8: uncatchable "Maximum call stack size exceeded" error when `async_hooks.createHook()` is enabled can lead to crash</issue>
  <issue tracker="bnc" id="1256573">VUL-0: CVE-2025-59465: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs22,nodejs8: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error</issue>
  <issue tracker="bnc" id="1256576">VUL-0: CVE-2026-21637: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs22,nodejs8: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service</issue>
  <issue tracker="bnc" id="1256571">VUL-0: CVE-2025-55132: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs22,nodejs8: a file's access and modification timestamps can be changed via `futimes()` even when the process has only read permissions</issue>
  <issue tracker="bnc" id="1256570">VUL-0: CVE-2025-55131: nodejs10,nodejs12,nodejs14,nodejs16,nodejs18,nodejs20,nodejs22,nodejs8: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets</issue>
  <issue tracker="bnc" id="1256848">VUL-0: CVE-2026-22036: nodejs16,nodejs18,nodejs22: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion</issue>
  <issue tracker="cve" id="2026-22036"/>
  <issue tracker="cve" id="2025-59466"/>
  <issue tracker="cve" id="2025-55131"/>
  <issue tracker="cve" id="2025-55130"/>
  <issue tracker="cve" id="2025-55132"/>
  <issue tracker="cve" id="2026-21637"/>
  <issue tracker="cve" id="2025-59465"/>
  <packager>adamm</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for nodejs20</summary>
  <description>This update for nodejs20 fixes the following issues:

- Update to 20.20.0:
- CVE-2026-22036: Updated undici to 6.23.0 (bsc#1256848)
- CVE-2025-59465: Add TLSSocket default error handler (bsc#1256573)
- CVE-2025-55132: Disable futimes when permission model is enabled (bsc#1256571)
- CVE-2025-55130: Require full read and write to symlink APIs (bsc#1256569)
- CVE-2025-59466: Rethrow stack overflow exceptions in async_hooks (bsc#1256574)
- CVE-2025-55131: Refactor unsafe buffer creation to remove zero-fill toggle (bsc#1256570)
- CVE-2026-21637: Route callback exceptions through error handlers (bsc#1256576)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places