An update for nodejs is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1235 Final 1.0 1.0 2025-03-07 Initial 2025-03-07 2025-03-07 openEuler SA Tool V1.0 2025-03-07 nodejs security update An update for nodejs is now available for openEuler-24.03-LTS Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.(CVE-2025-23083) An update for nodejs is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High nodejs https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1235 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-23083 https://nvd.nist.gov/vuln/detail/CVE-2025-23083 openEuler-24.03-LTS nodejs-20.18.2-1.oe2403.x86_64.rpm nodejs-debuginfo-20.18.2-1.oe2403.x86_64.rpm nodejs-debugsource-20.18.2-1.oe2403.x86_64.rpm nodejs-devel-20.18.2-1.oe2403.x86_64.rpm nodejs-full-i18n-20.18.2-1.oe2403.x86_64.rpm nodejs-libs-20.18.2-1.oe2403.x86_64.rpm npm-10.8.2-1.20.18.2.1.oe2403.x86_64.rpm v8-devel-11.3.244.8-1.20.18.2.1.oe2403.x86_64.rpm nodejs-docs-20.18.2-1.oe2403.noarch.rpm nodejs-20.18.2-1.oe2403.aarch64.rpm nodejs-debuginfo-20.18.2-1.oe2403.aarch64.rpm nodejs-debugsource-20.18.2-1.oe2403.aarch64.rpm nodejs-devel-20.18.2-1.oe2403.aarch64.rpm nodejs-full-i18n-20.18.2-1.oe2403.aarch64.rpm nodejs-libs-20.18.2-1.oe2403.aarch64.rpm npm-10.8.2-1.20.18.2.1.oe2403.aarch64.rpm v8-devel-11.3.244.8-1.20.18.2.1.oe2403.aarch64.rpm nodejs-20.18.2-1.oe2403.src.rpm With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. 2025-03-07 CVE-2025-23083 openEuler-24.03-LTS High 7.7 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N nodejs security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1235