{"schema_version":"1.7.2","id":"OESA-2025-1200","modified":"2025-02-28T15:33:03Z","published":"2025-02-28T15:33:03Z","upstream":["CVE-2024-22018","CVE-2024-22020"],"summary":"nodejs security update","details":"Node.js is a platform built on Chrome\u0026amp;apos;s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\n\nA vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.(CVE-2024-22018)\n\nA security flaw in Node.js  allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.(CVE-2024-22020)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"nodejs","purl":"pkg:rpm/openEuler/nodejs\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.18.2-1.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["nodejs-20.18.2-1.oe2403sp1.aarch64.rpm","nodejs-debuginfo-20.18.2-1.oe2403sp1.aarch64.rpm","nodejs-debugsource-20.18.2-1.oe2403sp1.aarch64.rpm","nodejs-devel-20.18.2-1.oe2403sp1.aarch64.rpm","nodejs-full-i18n-20.18.2-1.oe2403sp1.aarch64.rpm","nodejs-libs-20.18.2-1.oe2403sp1.aarch64.rpm","npm-10.8.2-1.20.18.2.1.oe2403sp1.aarch64.rpm","v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.aarch64.rpm"],"noarch":["nodejs-docs-20.18.2-1.oe2403sp1.noarch.rpm"],"src":["nodejs-20.18.2-1.oe2403sp1.src.rpm"],"x86_64":["nodejs-20.18.2-1.oe2403sp1.x86_64.rpm","nodejs-debuginfo-20.18.2-1.oe2403sp1.x86_64.rpm","nodejs-debugsource-20.18.2-1.oe2403sp1.x86_64.rpm","nodejs-devel-20.18.2-1.oe2403sp1.x86_64.rpm","nodejs-full-i18n-20.18.2-1.oe2403sp1.x86_64.rpm","nodejs-libs-20.18.2-1.oe2403sp1.x86_64.rpm","npm-10.8.2-1.20.18.2.1.oe2403sp1.x86_64.rpm","v8-devel-11.3.244.8-1.20.18.2.1.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1200"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22018"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22020"}],"database_specific":{"severity":"Medium"}}