{ "document": { "aggregate_severity": { "text": "None" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* ALTNJS-243: Initial build for arm platforms", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_nodejs/debian12/advisories/2026/clsa-2026_1772450673.json" } ], "tracking": { "current_release_date": "2026-03-03T17:02:30Z", "generator": { "date": "2026-03-03T17:02:30Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1772450673", "initial_release_date": "2026-03-02T11:24:35Z", "revision_history": [ { "date": "2026-03-02T11:24:35Z", "number": "1", "summary": "Initial version" }, { "date": "2026-03-03T17:02:30Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Update of alt-php" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 12", "product": { "name": "Debian 12", "product_id": "Debian-12", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:12:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-nodejs16-nodejs-0:16.20.2-15.arm64", "product": { "name": "alt-nodejs16-nodejs-0:16.20.2-15.arm64", "product_id": "alt-nodejs16-nodejs-0:16.20.2-15.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-nodejs@16.20.2-15?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64", "product": { "name": "alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64", "product_id": "alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-npm@8.19.4-16.20.2-12?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-nodejs16-docs-0:16.20.2-15.arm64", "product": { "name": "alt-nodejs16-docs-0:16.20.2-15.arm64", "product_id": "alt-nodejs16-docs-0:16.20.2-15.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-docs@16.20.2-15?arch=arm64&os_name=debian&os_version=12" } } }, { "category": "product_version", "name": "alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "product": { "name": "alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "product_id": "alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-nodejs16-nodejs-devel@16.20.2-15?arch=arm64&os_name=debian&os_version=12" } } } ], "category": "architecture", "name": "arm64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-nodejs-0:16.20.2-15.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64" }, "product_reference": "alt-nodejs16-nodejs-0:16.20.2-15.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" }, "product_reference": "alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-docs-0:16.20.2-15.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64" }, "product_reference": "alt-nodejs16-docs-0:16.20.2-15.arm64", "relates_to_product_reference": "Debian-12" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64 as a component of Debian 12", "product_id": "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64" }, "product_reference": "alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "relates_to_product_reference": "Debian-12" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-55131", "cwe": { "id": "CWE-497", "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere" }, "notes": [ { "category": "description", "text": "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2025-55131" } ], "release_date": "2026-01-20T20:41:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-59466", "cwe": { "id": "CWE-248", "name": "Uncaught Exception" }, "notes": [ { "category": "description", "text": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2025-59466" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases", "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases" } ], "release_date": "2026-01-20T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-21637", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2026-21637" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases", "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases" } ], "release_date": "2026-01-20T21:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-59465", "cwe": { "id": "CWE-248", "name": "Uncaught Exception" }, "notes": [ { "category": "description", "text": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\nsocket.on('error', err => {\nconsole.log(err)\n})\n})\n```", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2025-59465" } ], "release_date": "2026-01-20T20:41:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2023-45143", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "description", "text": "Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2023-45143" }, { "category": "external", "summary": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76", "url": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76" }, { "category": "external", "summary": "https://github.com/nodejs/undici/releases/tag/v5.26.2", "url": "https://github.com/nodejs/undici/releases/tag/v5.26.2" }, { "category": "external", "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp" }, { "category": "external", "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g" }, { "category": "external", "summary": "https://hackerone.com/reports/2166948", "url": "https://hackerone.com/reports/2166948" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" } ], "release_date": "2023-10-12T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2023-39333", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code ('Code Injection')" }, "notes": [ { "category": "description", "text": "Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.\nThis vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2023-39333" } ], "release_date": "2023-10-13T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-22025", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-22025" } ], "release_date": "2024-03-19T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-27982", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" }, "notes": [ { "category": "description", "text": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-27982" } ], "release_date": "2024-04-03T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-46809", "notes": [ { "category": "description", "text": "Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2023-46809" } ], "release_date": "2024-02-16T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-22019", "cwe": { "id": "CWE-404", "name": "Improper Resource Shutdown or Release" }, "notes": [ { "category": "description", "text": "A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-22019" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" }, { "category": "external", "summary": "https://hackerone.com/reports/2233486", "url": "https://hackerone.com/reports/2233486" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20240315-0004/", "url": "https://security.netapp.com/advisory/ntap-20240315-0004/" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html", "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html" } ], "release_date": "2024-02-20T02:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-23166", "cwe": { "id": "CWE-248", "name": "Uncaught Exception" }, "notes": [ { "category": "description", "text": "The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2025-23166" } ], "release_date": "2025-05-19T01:25:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2024-27983", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-27983" } ], "release_date": "2024-04-03T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-23085", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.\nThis vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2025-23085" } ], "release_date": "2025-01-21T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-28863", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-28863" } ], "release_date": "2024-03-21T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-25629", "cwe": { "id": "CWE-127", "name": "Buffer Under-read" }, "notes": [ { "category": "description", "text": "c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-25629" }, { "category": "external", "summary": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183", "url": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183" }, { "category": "external", "summary": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q", "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/" } ], "release_date": "2024-02-23T15:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-38552", "cwe": { "id": "CWE-345", "name": "Insufficient Verification of Data Authenticity" }, "notes": [ { "category": "description", "text": "When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check.\nImpacts:\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2023-38552" }, { "category": "external", "summary": "https://hackerone.com/reports/2094235", "url": "https://hackerone.com/reports/2094235" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20231116-0013/", "url": "https://security.netapp.com/advisory/ntap-20231116-0013/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241108-0002/", "url": "https://security.netapp.com/advisory/ntap-20241108-0002/" } ], "release_date": "2023-10-18T04:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-02T11:24:35.920821Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673", "product_ids": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2026:1772450673" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Debian-12:alt-nodejs16-docs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-nodejs-devel-0:16.20.2-15.arm64", "Debian-12:alt-nodejs16-npm-0:8.19.4-16.20.2-12.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }