Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits() function, which incorrectly invokes ThrowException() based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash.

Note: The cryptographic operations involved are commonly applied to untrusted input.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 20.19.2, 22.15.1, 23.11.1, 24.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• HackerOne Report
• Node.js Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception due to the unhandled TLSSocket error ECONNRESET. An attacker can cause application crash by passing malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data.

Note:

This issue primary affects applications without explicit error handlers to secure sockets.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Directory Traversal in the path.join function. An attacker can bypass the path traversal protection and access restricted files by crafting specific path inputs that leverage Windows reserved driver names such as CON, PRN, and AUX.

Note: This issue only affects Windows systems and is a result of an incomplete fix for CVE-2025-23084

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade node to version 20.19.4, 22.17.1, 24.4.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Security Advisory
• Exploit DB

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when async_hooks (or AsyncLocalStorage) is enabled. Normally, a "Maximum call stack size exceeded" error (stack overflow) is catchable by try-catch blocks or uncaughtException handlers. However, if this error occurs while an async_hooks callback is on the stack (which happens frequently in frameworks like Next.js or when using APM tools), Node.js treats it as a fatal error. Remote attackers can trigger this crash by sending payloads that cause deep recursion (e.g., deeply nested JSON objects), leading to a Denial of Service.

Notes:

1. Node.js 24.x and 25.x are less affected if using only AsyncLocalStorage, as they use a newer V8 feature that avoids this hook mechanism;

2. The patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security.

PoC

import { createHook } from 'node:async_hooks';

// This simulates what APM tools do
createHook({ init() {} }).enable();

function recursive() {
  new Promise(() => {}); // Creates async context
  return recursive();
}

try {
  recursive();
} catch (err) {
  console.log('This never runs', err);
}

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• Blog Post
• GitHub Commit
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Code Injection due to the incorrect handling of environment variables on Linux when the process is running with elevated privileges that the current user lacks (does not apply to CAP_NET_BIND_SERVICE).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the fs.symlink() function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which allows an attacker to cause denial of service via CPU and network bandwidth exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a race condition in Http2Session when nghttp2 data is left in memory after a connection is reset while processing HTTP/2 CONTINUATION frames. An attacker can cause denial of service by sending such frames then triggering the Http2Session destructor.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

• CERT/CC Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Release Notes
• RedHat Bugzilla Bug
• Vulnerability Report

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.15 relevant fixed versions and status.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade Alpine:3.15 openssl to version 1.1.1t-r0 or higher.

References

• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.15 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Alpine:3.15 openssl to version 1.1.1t-r2 or higher.

References

• https://security.netapp.com/advisory/ntap-20230406-0006/
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
• https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.couchbase.com/alerts/
• https://www.debian.org/security/2023/dsa-5417
• https://www.openssl.org/news/secadv/20230322.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.15 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Alpine:3.15 openssl to version 1.1.1t-r0 or higher.

References

• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20230427-0007/
• https://security.netapp.com/advisory/ntap-20230427-0009/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.15 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Alpine:3.15 openssl to version 1.1.1t-r0 or higher.

References

• https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to the handling of the hostname_ascii variable in the uv_getaddrinfo function. Attackers can exploit the creation of addresses that bypass developer checks and resolve to unintended IP addresses, to access internal APIs or for websites that allow users to have username.example.com pages, potentially exposing internal services to attacks.

Notes:

1. Depending on the build and runtime environment, it can lead to different exploitation scenarios:

The last byte of the hostname is a random value (0-256) but identical in successive calls, and the subsequent byte is a null byte. This situation can be exploited through brute force, especially in production environments where many Node.js instances run in parallel (pm2, kubernetes, etc).

Since the last byte is random, there are cases where it's one of 0-9a-f, which makes 16 possible cases (out of 256) useful for calling localhost (127.0.0.x) and potentially bypassing security measures on internal APIs. The same is true for calling other IP-ranges.

2. When deployed in an environment with multiple pods (e.g., Kubernetes), is vulnerable to the attack described above, potentially allowing unauthorized access to internal APIs.

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the improper handling of batch files in child_process.spawn or child_process.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note: This vulnerability only affects Windows machines.

Remediation

Upgrade node to version 18.20.2, 20.12.2, 21.7.3 or higher.

References

• GitHub Commit
• Node.js