Описание
ELSA-2026-1843: nodejs22 security update (IMPORTANT)
[1:22.22.0-3]
- Bump release to get correct RHEL build
[1:22.22.0-2]
- Filter for nodejs22.fmf in gating plan
[1:22.22.0-1]
- Update to 22.22.0
[1:22.19.0-3]
- Unit-tests adjustment - disable internet/test-dgram-membership
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
nodejs
22.22.0-3.el10_1
nodejs-devel
22.22.0-3.el10_1
nodejs-docs
22.22.0-3.el10_1
nodejs-full-i18n
22.22.0-3.el10_1
nodejs-libs
22.22.0-3.el10_1
nodejs-npm
10.9.4-1.22.22.0.3.el10_1
Oracle Linux x86_64
nodejs
22.22.0-3.el10_1
nodejs-devel
22.22.0-3.el10_1
nodejs-docs
22.22.0-3.el10_1
nodejs-full-i18n
22.22.0-3.el10_1
nodejs-libs
22.22.0-3.el10_1
nodejs-npm
10.9.4-1.22.22.0.3.el10_1
Ссылки на источники
Связанные уязвимости
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.