Описание
ELSA-2026-1842: nodejs24 security update (IMPORTANT)
[1:24.13.0-1.0.1]
- Update upstream references
[1:24.13.0-1]
- Update to 24.13.0
[1:24.11.1-2]
- makefile: change package manager to RH one
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
nodejs24
24.13.0-1.0.1.el10_1
nodejs24-devel
24.13.0-1.0.1.el10_1
nodejs24-docs
24.13.0-1.0.1.el10_1
nodejs24-full-i18n
24.13.0-1.0.1.el10_1
nodejs24-libs
24.13.0-1.0.1.el10_1
nodejs24-npm
11.6.2-1.24.13.0.1.0.1.el10_1
Oracle Linux x86_64
nodejs24
24.13.0-1.0.1.el10_1
nodejs24-devel
24.13.0-1.0.1.el10_1
nodejs24-docs
24.13.0-1.0.1.el10_1
nodejs24-full-i18n
24.13.0-1.0.1.el10_1
nodejs24-libs
24.13.0-1.0.1.el10_1
nodejs24-npm
11.6.2-1.24.13.0.1.0.1.el10_1
Ссылки на источники
Связанные уязвимости
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.