SB2026070630 - openEuler 22.03 LTS SP4 update for nodejs
Published: July 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Uncaught Exception (CVE-ID: CVE-2025-59465)
CWE-ID: CWE-248 - Uncaught Exception
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper error handling in the HTTP/2 server when receiving a malformed HEADERS frame with oversized invalid HPACK data. A remote attacker can send a specially crafted HTTP/2 HEADERS frame to cause a denial of service.
This primarily affects applications that do not attach explicit error handlers to secure sockets.
2) Path manipulation (CVE-ID: CVE-2026-21637)
CWE-ID: CWE-249 - DEPRECATED: Often Misused: Path Manipulation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.
Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.
3) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-21714)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause resource exhaustion.
The vulnerability exists due to a memory leak in the HTTP/2 server implementation when processing WINDOW_UPDATE frames on stream 0. A remote attacker can send WINDOW_UPDATE frames that exceed the maximum flow control window, causing the Http2Session object to remain allocated despite sending a GOAWAY frame.
The server fails to clean up the Http2Session object after connection termination, leading to unbounded memory consumption.
Remediation
Install update from vendor's website.