{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2024-22025: pause stream if outgoing buffer is full to prevent resource\n exhaustion during decompression", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_nodejs/el8/advisories/2025/clsa-2025_1765973528.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765973528", "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765973528" } ], "tracking": { "current_release_date": "2025-12-17T12:12:57Z", "generator": { "date": "2025-12-17T12:12:57Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1765973528", "initial_release_date": "2025-12-17T12:12:57Z", "revision_history": [ { "date": "2025-12-17T12:12:57Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "alt-nodejs12-nodejs: Fix of CVE-2024-22025" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8", "product": { "name": "Community Enterprise Operating System 8", "product_id": "CentOS-8", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Cloud Linux Software, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "product": { "name": "alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "product_id": "alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-nodejs12-nodejs-docs@12.22.12-14.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "product": { "name": "alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "product_id": "alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-nodejs12-nodejs@12.22.12-14.el8?arch=x86_64" } } }, { "category": "product_version", "name": "alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "product": { "name": "alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "product_id": "alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-nodejs12-nodejs-devel@12.22.12-14.el8?arch=x86_64" } } }, { "category": "product_version", "name": "alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64", "product": { "name": "alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64", "product_id": "alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-nodejs12-npm@6.14.16-12.22.12.14.el8?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch as a component of Community Enterprise Operating System 8", "product_id": "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch" }, "product_reference": "alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "relates_to_product_reference": "CentOS-8" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64" }, "product_reference": "alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "relates_to_product_reference": "CentOS-8" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64" }, "product_reference": "alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "relates_to_product_reference": "CentOS-8" }, { "category": "default_component_of", "full_product_name": { "name": "alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" }, "product_reference": "alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64", "relates_to_product_reference": "CentOS-8" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-22025", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2024-22025" } ], "release_date": "2024-03-19T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-17T12:12:10.492631Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765973528", "product_ids": [ "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765973528" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2023-46809", "notes": [ { "category": "description", "text": "Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-nodejs/cve/CVE-2023-46809" } ], "release_date": "2024-02-16T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-17T12:12:10.492631Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765973528", "product_ids": [ "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-nodejs/releases/CLSA-2025:1765973528" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CentOS-8:alt-nodejs12-nodejs-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-devel-0:12.22.12-14.el8.x86_64", "CentOS-8:alt-nodejs12-nodejs-docs-0:12.22.12-14.el8.noarch", "CentOS-8:alt-nodejs12-npm-1:6.14.16-12.22.12.14.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }