nodejs20 (SUSE:Linux Enterprise Server for SAP Applications 15 SP5) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Server for SAP Applications 15 SP5 package nodejs20, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (19)
CVE-2025-55130 — CVSS 9.1 (critical): A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted…
CVE-2025-23083 — CVSS 7.7 (high): With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only…
CVE-2026-21637 — CVSS 7.5 (high): A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or…
CVE-2025-23166 — CVSS 7.5 (high): The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…
CVE-2025-59466 — CVSS 7.5 (high): We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when…
CVE-2025-59465 — CVSS 7.5 (high): A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket`…
CVE-2026-21710 — CVSS 7.5 (high): A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the…
CVE-2025-55131 — CVSS 7.1 (high): A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module…
CVE-2025-22150 — CVSS 6.8 (medium): Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to…
CVE-2025-23167 — CVSS 6.5 (medium): A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This…
CVE-2026-21713 — CVSS 5.9 (medium): A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking…
CVE-2026-22036 — CVSS 5.9 (medium): Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the…
CVE-2026-21717 — CVSS 5.9 (medium): A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially…
CVE-2026-21714 — CVSS 5.3 (medium): A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…
CVE-2025-23085 — CVSS 5.3 (medium): A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid…
CVE-2025-55132 — CVSS 5.3 (medium): A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…
CVE-2025-23165 — CVSS 3.7 (low): In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is…
CVE-2026-21716 — CVSS 3.3 (low): An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required…
CVE-2026-21715 — CVSS 3.3 (low): A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks…