An update for nodejs is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1200 Final 1.0 1.0 2025-02-28 Initial 2025-02-28 2025-02-28 openEuler SA Tool V1.0 2025-02-28 nodejs security update An update for nodejs is now available for openEuler-24.03-LTS-SP1 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.(CVE-2024-22018) A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.(CVE-2024-22020) An update for nodejs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium nodejs https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-22018 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-22020 https://nvd.nist.gov/vuln/detail/CVE-2024-22018 https://nvd.nist.gov/vuln/detail/CVE-2024-22020 openEuler-24.03-LTS-SP1 nodejs-20.18.2-1.oe2403sp1.x86_64.rpm nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm nodejs-20.18.2-1.oe2403sp1.aarch64.rpm nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm nodejs-20.18.2-1.oe2403sp1.src.rpm A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. 2025-02-28 CVE-2024-22018 openEuler-24.03-LTS-SP1 Low 2.9 AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N nodejs security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200 A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. 2025-02-28 CVE-2024-22020 openEuler-24.03-LTS-SP1 Medium 6.5 AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H nodejs security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200