Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2025:01879-1

Опубликовано: 11 июн. 2025
Источник: suse-cvrf

Описание

Security update for nodejs22

This update for nodejs22 fixes the following issues:

Update to version 22.15.1.

Security issues fixed:

  • CVE-2025-23166: remotely triggerable process crash due to improper error handling in async cryptographic operations (bsc#1243218).
  • CVE-2025-23165: memory leak and unbounded memory growth due to corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string (bsc#1243217).

Other changes and issues fixed:

  • Changes from version 22.15.0

    • dns: add TLSA record query and parsing
    • assert: improve partialDeepStrictEqual
    • process: add execve
    • tls: implement tls.getCACertificates()
    • v8: add v8.getCppHeapStatistics() method

  • Changes from version 22.14.0

    • fs: allow exclude option in globs to accept glob patterns
    • lib: add typescript support to STDIN eval
    • module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX
    • module: add findPackageJSON util
    • process: add process.ref() and process.unref() methods
    • sqlite: support TypedArray and DataView in StatementSync
    • src: add --disable-sigusr1 to prevent signal i/o thread
    • src,worker: add isInternalWorker
    • test_runner: add TestContext.prototype.waitFor()
    • test_runner: add t.assert.fileSnapshot()
    • test_runner: add assert.register() API
    • worker: add eval ts input

  • Build with PIE (bsc#1239949).

  • Fix builds with OpenSSL 3.5.0 (bsc#1241050).

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 15 SP7
nodejs22-22.15.1-150700.3.3.1
nodejs22-devel-22.15.1-150700.3.3.1
nodejs22-docs-22.15.1-150700.3.3.1
npm22-22.15.1-150700.3.3.1

Ссылки

Описание

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs22-22.15.1-150700.3.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs22-devel-22.15.1-150700.3.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs22-docs-22.15.1-150700.3.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm22-22.15.1-150700.3.3.1
Ссылки

Описание

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs22-22.15.1-150700.3.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs22-devel-22.15.1-150700.3.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:nodejs22-docs-22.15.1-150700.3.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7:npm22-22.15.1-150700.3.3.1
Ссылки
Уязвимость SUSE-SU-2025:01879-1