SB2026041717 - openEuler 24.03 LTS SP2 update for nodejs
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Link following (CVE-ID: CVE-2025-55130)
The vulnerability allows a local user to read or modify arbitrary files outside the intended allowed path.
The vulnerability exists due to improper access control in the permission model path restriction handling when processing crafted relative symlink paths. A local user can chain directories and symlinks to read or modify arbitrary files outside the intended allowed path.
The issue affects use of the permission model with --allow-fs-read or --allow-fs-write restrictions.
2) Race condition (CVE-ID: CVE-2025-55131)
The vulnerability allows a remote user to disclose sensitive information or corrupt data.
The vulnerability exists due to a race condition in buffer allocation logic when using the vm module with the timeout option. A remote user can influence workload and timeout behavior to disclose sensitive information or corrupt data.
Exploitation typically requires precise timing or in-process code execution.
3) Improper access control (CVE-ID: CVE-2025-55132)
The vulnerability allows a local user to modify file timestamps.
The vulnerability exists due to improper access control in fs.futimes() when changing file timestamps without expected write-permission checks. A local user can call futimes() to modify file timestamps.
This can reduce the reliability of logs by obscuring activity in read-only directories.
4) Uncaught Exception (CVE-ID: CVE-2025-59465)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper error handling in the HTTP/2 server when receiving a malformed HEADERS frame with oversized invalid HPACK data. A remote attacker can send a specially crafted HTTP/2 HEADERS frame to cause a denial of service.
This primarily affects applications that do not attach explicit error handlers to secure sockets.
5) Uncaught Exception (CVE-ID: CVE-2025-59466)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper error handling in async_hooks error handling when deep recursion occurs with async_hooks.createHook() enabled. A remote attacker can trigger deep recursion to cause a denial of service.
Applications using AsyncLocalStorage or async_hooks.createHook() are affected under specific conditions.
6) Path manipulation (CVE-ID: CVE-2026-21637)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.
Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.
7) Memory leak (CVE-ID: CVE-2025-59464)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a memory leak in OpenSSL integration when converting X.509 certificate fields to UTF-8 during processing of TLS client certificates. A remote attacker can establish repeated TLS connections to cause a denial of service.
The issue is triggered when applications call socket.getPeerCertificate(true).
8) Improper access control (CVE-ID: CVE-2026-21636)
The vulnerability allows a local user to access privileged local services.
The vulnerability exists due to improper access control in the permission model when handling Unix Domain Socket connections without network permission checks. A local user can supply a crafted URL or socketPath to access privileged local services.
The issue affects net, tls, and undici/fetch when the permission model is enabled, and network permissions were experimental at the time.
Remediation
Install update from vendor's website.