{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"nodejs security update", "category":"general", "title":"Synopsis" }, { "text":"An update for nodejs is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\nA vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.(CVE-2024-22018)\n\nA security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.(CVE-2024-22020)", "category":"general", "title":"Description" }, { "text":"An update for nodejs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"nodejs", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1200", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200" }, { "summary":"CVE-2024-22018", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-22018&packageName=nodejs" }, { "summary":"CVE-2024-22020", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-22020&packageName=nodejs" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22018" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22020" }, { "summary":"openEuler-SA-2025-1200 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1200.json" } ], "title":"An update for nodejs is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2025-03-04T15:58:28+08:00", "revision_history":[ { "date":"2025-03-04T15:58:28+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-03-04T15:58:28+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-03-04T15:58:28+08:00", "id":"openEuler-SA-2025-1200", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm", "name":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm" }, "name":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm" }, "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm" }, "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm", "name":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm" }, "name":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm", "name":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm" }, "name":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm" }, "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm" }, "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-1.oe2403sp1.src.rpm", "name":"nodejs-20.18.2-1.oe2403sp1.src.rpm" }, "name":"nodejs-20.18.2-1.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-devel-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "name":"nodejs-libs-20.18.2-1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "name":"nodejs-docs-20.18.2-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-devel-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "name":"nodejs-libs-20.18.2-1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "name":"npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "name":"v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-1.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src", "name":"nodejs-20.18.2-1.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-22018", "notes":[ { "text":"A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src" ], "details":"nodejs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":2.9, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2024-22018" }, { "cve":"CVE-2024-22020", "notes":[ { "text":"A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src" ], "details":"nodejs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-1.oe2403sp1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-22020" } ] }