rpms/nodejs

Fork 0

[security][CRITICAL] nodejs 24.12.0: 4 CVE require triage #2

New issue

Closed

opened 2026-04-29 04:36:56 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:36:56 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: nodejs
Version: 24.12.0
EVR: 24.12.0-1
Category: standard
Policy class: leaf
NiceOS policy class: -
Owner: base-team
Severity: CRITICAL
Max CVSS: 9.1
CVE count: 4

LLM recommendation / Рекомендация LLM

RU

Критические уязвимости в Node.js (v24.12.0), включая обход ограничений файловой системы (CVE-2025-55130), DoS через ошибки HTTP/2 (CVE-2025-59465), неконтролируемые краши при глубокой рекурсии (CVE-2025-59466) и проблемы обработки TLS (CVE-2026-21637).

Немедленно обновить пакет nodejs до версии, содержащей исправления для всех перечисленных CVE. До обновления проверить наличие обработчиков ошибок для secureConnection и убедиться, что приложения не используют небезопасные паттерны с async_hooks.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: 1. Проверить версию установленного nodejs. 2. Попробовать воспроизвести сценарий обхода --allow-fs-read с использованием относительных ссылок. 3. Проверить стабильность сервера при нагрузке с некорректными HTTP/2 заголовками. 4. Тестирование глубокой рекурсии в коде с включенным async_hooks.createHook().

Риски: Полный компрометация системы через чтение/запись файлов вне разрешенных путей, отказ в обслуживании (DoS) веб-серверов и приложений, неконтролируемые краши процессов без возможности восстановления.

EN

Critical vulnerabilities in Node.js (v24.12.0), including filesystem permission bypass (CVE-2025-55130), HTTP/2 DoS (CVE-2025-59465), uncatchable crashes via deep recursion (CVE-2025-59466), and TLS error handling issues (CVE-2026-21637).

Immediately update the nodejs package to a version containing fixes for all listed CVEs. Prior to updating, verify that applications have explicit error handlers for secureConnection and do not use unsafe async_hooks patterns.

Recommended action: needs_triage

Target version hint: -

Tests: 1. Verify installed nodejs version. 2. Attempt to reproduce the --allow-fs-read bypass using relative symlinks. 3. Test server stability under load with malformed HTTP/2 headers. 4. Test deep recursion scenarios with async_hooks.createHook() enabled.

Risks: Full system compromise via reading/writing files outside allowed paths, Denial of Service (DoS) for web servers and applications, and uncontrolled process crashes without recovery capability.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2025-55130	CRITICAL	9.1	cpe-range	needs_triage	package version is inside version range
CVE-2025-59465	HIGH	7.5	cpe-range	needs_triage	package version is inside version range
CVE-2025-59466	HIGH	7.5	cpe-range	needs_triage	package version is inside version range
CVE-2026-21637	HIGH	7.5	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

CVE-2025-59465

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:

server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})

CVE-2025-59466

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

CVE-2026-21637

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-55130",
    "CVE-2025-59465",
    "CVE-2025-59466",
    "CVE-2026-21637"
  ],
  "fingerprint": "bce50f214ed71eb49a92",
  "generated_at": "2026-04-29T01:36:55Z",
  "package": "nodejs",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "24.12.0"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `nodejs` - Version: `24.12.0` - EVR: `24.12.0-1` - Category: `standard` - Policy class: `leaf` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `CRITICAL` - Max CVSS: `9.1` - CVE count: `4` ## LLM recommendation / Рекомендация LLM ### RU Критические уязвимости в Node.js (v24.12.0), включая обход ограничений файловой системы (CVE-2025-55130), DoS через ошибки HTTP/2 (CVE-2025-59465), неконтролируемые краши при глубокой рекурсии (CVE-2025-59466) и проблемы обработки TLS (CVE-2026-21637). Немедленно обновить пакет nodejs до версии, содержащей исправления для всех перечисленных CVE. До обновления проверить наличие обработчиков ошибок для secureConnection и убедиться, что приложения не используют небезопасные паттерны с async_hooks. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** 1. Проверить версию установленного nodejs. 2. Попробовать воспроизвести сценарий обхода --allow-fs-read с использованием относительных ссылок. 3. Проверить стабильность сервера при нагрузке с некорректными HTTP/2 заголовками. 4. Тестирование глубокой рекурсии в коде с включенным async_hooks.createHook(). **Риски:** Полный компрометация системы через чтение/запись файлов вне разрешенных путей, отказ в обслуживании (DoS) веб-серверов и приложений, неконтролируемые краши процессов без возможности восстановления. ### EN Critical vulnerabilities in Node.js (v24.12.0), including filesystem permission bypass (CVE-2025-55130), HTTP/2 DoS (CVE-2025-59465), uncatchable crashes via deep recursion (CVE-2025-59466), and TLS error handling issues (CVE-2026-21637). Immediately update the nodejs package to a version containing fixes for all listed CVEs. Prior to updating, verify that applications have explicit error handlers for secureConnection and do not use unsafe async_hooks patterns. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** 1. Verify installed nodejs version. 2. Attempt to reproduce the --allow-fs-read bypass using relative symlinks. 3. Test server stability under load with malformed HTTP/2 headers. 4. Test deep recursion scenarios with async_hooks.createHook() enabled. **Risks:** Full system compromise via reading/writing files outside allowed paths, Denial of Service (DoS) for web servers and applications, and uncontrolled process crashes without recovery capability. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-55130 | CRITICAL | 9.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-59465 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-59466 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-21637 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2025-55130 A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. ### CVE-2025-59465 A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` ### CVE-2025-59466 We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. ### CVE-2026-21637 A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-55130", "CVE-2025-59465", "CVE-2025-59466", "CVE-2026-21637" ], "fingerprint": "bce50f214ed71eb49a92", "generated_at": "2026-04-29T01:36:55Z", "package": "nodejs", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "24.12.0" } ```

sbelikov added the

labels

2026-04-29 04:36:56 +03:00

sbelikov commented

2026-04-30 02:03:52 +03:00

Author

Owner

Fixed in nodejs-24.15.0-1 on branch niceos-5.2.

Triage result:

CVE	NiceOS status	Resolution
CVE-2025-55130	fixed	Updated Node.js from `24.12.0-1` to `24.15.0-1`. The fix entered the Node.js 24.x LTS line in `24.13.0` by requiring full read/write permission checks for symlink APIs.
CVE-2025-59465	fixed	Updated to `24.15.0-1`. The fix entered the Node.js 24.x LTS line in `24.13.0` by adding the TLSSocket default error handler for malformed HTTP/2 HEADERS handling.
CVE-2025-59466	fixed	Updated to `24.15.0-1`. The fix entered the Node.js 24.x LTS line in `24.13.0` by rethrowing stack overflow exceptions in `async_hooks`.
CVE-2026-21637	fixed	Updated to `24.15.0-1`. The initial TLS callback exception handling fix entered `24.13.0`; later 24.x security fixes in `24.14.1` are also included by updating to `24.15.0`.

Details:

Kept Node.js within the NiceOS 5.2 pinned 24.x LTS line.
Did not update to Node.js 25.x; cross-major runtime updates require application compatibility review.
No downstream backport patches were needed.
Upstream Node.js security fixes are taken from official 24.x LTS release tarballs.

Verification:

rpmbuild -ba SPECS/nodejs.spec completed successfully.
Upgrade transaction test completed successfully.
node --version reports v24.15.0.
npm --version completed successfully.
Basic HTTP/HTTP2/TLS/async_hooks smoke tests completed successfully.
Permission model sanity test completed successfully.
package-index reports EVR: 24.15.0-1.
Portal card: nodejs 24.12.0 -> 24.15.0.

Closing as fixed.

Fixed in `nodejs-24.15.0-1` on branch `niceos-5.2`. Triage result: | CVE | NiceOS status | Resolution | |---|---|---| | CVE-2025-55130 | fixed | Updated Node.js from `24.12.0-1` to `24.15.0-1`. The fix entered the Node.js 24.x LTS line in `24.13.0` by requiring full read/write permission checks for symlink APIs. | | CVE-2025-59465 | fixed | Updated to `24.15.0-1`. The fix entered the Node.js 24.x LTS line in `24.13.0` by adding the TLSSocket default error handler for malformed HTTP/2 HEADERS handling. | | CVE-2025-59466 | fixed | Updated to `24.15.0-1`. The fix entered the Node.js 24.x LTS line in `24.13.0` by rethrowing stack overflow exceptions in `async_hooks`. | | CVE-2026-21637 | fixed | Updated to `24.15.0-1`. The initial TLS callback exception handling fix entered `24.13.0`; later 24.x security fixes in `24.14.1` are also included by updating to `24.15.0`. | Details: - Kept Node.js within the NiceOS 5.2 pinned `24.x` LTS line. - Did not update to Node.js `25.x`; cross-major runtime updates require application compatibility review. - No downstream backport patches were needed. - Upstream Node.js security fixes are taken from official 24.x LTS release tarballs. Verification: - `rpmbuild -ba SPECS/nodejs.spec` completed successfully. - Upgrade transaction test completed successfully. - `node --version` reports `v24.15.0`. - `npm --version` completed successfully. - Basic HTTP/HTTP2/TLS/async_hooks smoke tests completed successfully. - Permission model sanity test completed successfully. - `package-index` reports `EVR: 24.15.0-1`. - Portal card: `nodejs 24.12.0 -> 24.15.0`. Closing as fixed.

sbelikov closed this issue

2026-04-30 02:03:52 +03:00