{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"nodejs security update", "category":"general", "title":"Synopsis" }, { "text":"An update for nodejs is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\nIn Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\n\nImpact:\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.(CVE-2025-23165)\n\nThe C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.(CVE-2025-23166)", "category":"general", "title":"Description" }, { "text":"An update for nodejs is now available for openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"nodejs", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1534", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1534" }, { "summary":"CVE-2025-23165", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23165&packageName=nodejs" }, { "summary":"CVE-2025-23166", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23166&packageName=nodejs" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23165" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23166" }, { "summary":"openEuler-SA-2025-1534 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1534.json" } ], "title":"An update for nodejs is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2025-05-23T22:01:35+08:00", "revision_history":[ { "date":"2025-05-23T22:01:35+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-05-23T22:01:35+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-05-23T22:01:35+08:00", "id":"openEuler-SA-2025-1534", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-3.oe2403sp1.aarch64.rpm", "name":"nodejs-20.18.2-3.oe2403sp1.aarch64.rpm" }, "name":"nodejs-20.18.2-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64.rpm", "name":"nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64.rpm" }, "name":"nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64.rpm", "name":"nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64.rpm" }, "name":"nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-devel-20.18.2-3.oe2403sp1.aarch64.rpm", "name":"nodejs-devel-20.18.2-3.oe2403sp1.aarch64.rpm" }, "name":"nodejs-devel-20.18.2-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64.rpm", "name":"nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64.rpm" }, "name":"nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-libs-20.18.2-3.oe2403sp1.aarch64.rpm", "name":"nodejs-libs-20.18.2-3.oe2403sp1.aarch64.rpm" }, "name":"nodejs-libs-20.18.2-3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64.rpm", "name":"npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64.rpm" }, "name":"npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64.rpm", "name":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64.rpm" }, "name":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-3.oe2403sp1.src.rpm", "name":"nodejs-20.18.2-3.oe2403sp1.src.rpm" }, "name":"nodejs-20.18.2-3.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-20.18.2-3.oe2403sp1.x86_64.rpm", "name":"nodejs-20.18.2-3.oe2403sp1.x86_64.rpm" }, "name":"nodejs-20.18.2-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64.rpm", "name":"nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64.rpm" }, "name":"nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64.rpm", "name":"nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64.rpm" }, "name":"nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-devel-20.18.2-3.oe2403sp1.x86_64.rpm", "name":"nodejs-devel-20.18.2-3.oe2403sp1.x86_64.rpm" }, "name":"nodejs-devel-20.18.2-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64.rpm", "name":"nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64.rpm" }, "name":"nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-libs-20.18.2-3.oe2403sp1.x86_64.rpm", "name":"nodejs-libs-20.18.2-3.oe2403sp1.x86_64.rpm" }, "name":"nodejs-libs-20.18.2-3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64.rpm", "name":"npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64.rpm" }, "name":"npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64.rpm", "name":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64.rpm" }, "name":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"nodejs-docs-20.18.2-3.oe2403sp1.noarch.rpm", "name":"nodejs-docs-20.18.2-3.oe2403sp1.noarch.rpm" }, "name":"nodejs-docs-20.18.2-3.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "name":"nodejs-20.18.2-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "name":"nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "name":"nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-devel-20.18.2-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "name":"nodejs-devel-20.18.2-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "name":"nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-libs-20.18.2-3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "name":"nodejs-libs-20.18.2-3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "name":"npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "name":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-3.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "name":"nodejs-20.18.2-3.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-20.18.2-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "name":"nodejs-20.18.2-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "name":"nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "name":"nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-devel-20.18.2-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "name":"nodejs-devel-20.18.2-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "name":"nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-libs-20.18.2-3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "name":"nodejs-libs-20.18.2-3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "name":"npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "name":"v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64 as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"nodejs-docs-20.18.2-3.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch", "name":"nodejs-docs-20.18.2-3.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-23165", "notes":[ { "text":"In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.\n\nImpact:\n* This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch" ], "details":"nodejs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1534" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.7, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-23165" }, { "cve":"CVE-2025-23166", "notes":[ { "text":"The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch" ], "details":"nodejs security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1534" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.aarch64", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.src", "openEuler-24.03-LTS-SP1:nodejs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debuginfo-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-debugsource-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-devel-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-full-i18n-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-libs-20.18.2-3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:npm-10.8.2-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:v8-devel-11.3.244.8-1.20.18.2.3.oe2403sp1.x86_64", "openEuler-24.03-LTS-SP1:nodejs-docs-20.18.2-3.oe2403sp1.noarch" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-23166" } ] }