nodejs20 (SUSE:Linux Enterprise Module for Web and Scripting 15 SP6) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Module for Web and Scripting 15 SP6 package nodejs20, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (13)
CVE-2024-27980 — CVSS 8.1 (high): Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject…
CVE-2024-36138 — CVSS 8.1 (high): Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via…
CVE-2025-23083 — CVSS 7.7 (high): With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only…
CVE-2024-21538 — CVSS 7.5 (high): Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service…
CVE-2025-23166 — CVSS 7.5 (high): The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…
CVE-2025-22150 — CVSS 6.8 (medium): Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to…
CVE-2025-23167 — CVSS 6.5 (medium): A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This…
CVE-2024-22020 — CVSS 6.5 (medium): A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can…
CVE-2025-23085 — CVSS 5.3 (medium): A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid…
CVE-2025-23165 — CVSS 3.7 (low): In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is…
CVE-2024-37372 — CVSS 3.6 (low): The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not…
CVE-2024-36137 — CVSS 3.3 (low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is…
CVE-2024-22018 — CVSS 2.9 (low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used…