{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-22150: fix issue where undici used Math.random() to choose boundary\n for multipart/form-data request, now uses secure random number generator\n- CVE-2023-39333: fix maliciously crafted export names injection of JavaScript\n code\n- Run full Node.js tests in %check\n- Fix comment typo in spec", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1772617597", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1772617597" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2026/clsa-2026_1772617597.json" } ], "tracking": { "current_release_date": "2026-03-04T09:47:25Z", "generator": { "date": "2026-03-04T09:47:25Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1772617597", "initial_release_date": "2026-03-04T09:47:25Z", "revision_history": [ { "date": "2026-03-04T09:47:25Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "nodejs: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product": { "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_id": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/nodejs-libs@16.20.2-8.el9_6.tuxcare.els9?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "product": { "name": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_id": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/npm@8.19.4_1.16.20.2-8.el9_6.tuxcare.els9?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product": { "name": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_id": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/nodejs-full-i18n@16.20.2-8.el9_6.tuxcare.els9?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product": { "name": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_id": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/nodejs@16.20.2-8.el9_6.tuxcare.els9?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "product": { "name": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_id": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/v8-devel@9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9?arch=x86_64&epoch=2" } } }, { "category": "product_version", "name": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product": { "name": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_id": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/nodejs-devel@16.20.2-8.el9_6.tuxcare.els9?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "product": { "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "product_id": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/nodejs-libs@16.20.2-8.el9_6.tuxcare.els9?arch=i686&epoch=1" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "product": { "name": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "product_id": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/nodejs-docs@16.20.2-8.el9_6.tuxcare.els9?arch=noarch&epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686" }, "product_reference": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch" }, "product_reference": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686" }, "product_reference": "nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch" }, "product_reference": "nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64" }, "product_reference": "nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-39333", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code ('Code Injection')" }, "notes": [ { "category": "description", "text": "Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.\nThis vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-39333" } ], "release_date": "2023-10-13T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-04T09:46:40.019203Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1772617597", "product_ids": [ "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1772617597" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-22150", "cwe": { "id": "CWE-330", "name": "Use of Insufficiently Random Values" }, "notes": [ { "category": "description", "text": "Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-22150" } ], "release_date": "2025-01-21T17:46:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-04T09:46:40.019203Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1772617597", "product_ids": [ "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1772617597" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "AlmaLinux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "AlmaLinux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "AlmaLinux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-devel-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-docs-1:16.20.2-8.el9_6.tuxcare.els9.noarch", "Rocky Linux-9.6:nodejs-full-i18n-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.i686", "Rocky Linux-9.6:nodejs-libs-1:16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:npm-1:8.19.4_1.16.20.2-8.el9_6.tuxcare.els9.x86_64", "Rocky Linux-9.6:v8-devel-2:9.4.146.26_1.16.20.2-8.el9_6.tuxcare.els9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }