Updated nodejs packages fix security vulnerabilities
Publication date: 17 Jan 2026Modification date: 17 Jan 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-59465 , CVE-2025-59466 , CVE-2025-55130 , CVE-2025-55131 , CVE-2025-55132 , CVE-2026-21637
Description
Node.js HTTP/2 server crashes with unhandled error when receiving
malformed HEADERS frame. (CVE-2025-59465)
Uncatchable "Maximum call stack size exceeded" error on Node.js via
async_hooks leads to process crashes bypassing error handlers.
(CVE-2025-59466)
Bypass File System Permissions using crafted symlinks. (CVE-2025-55130)
Timeout-based race conditions make Uint8Array/Buffer.alloc
non-zerofilled. (CVE-2025-55131)
fs.futimes() Bypasses Read-Only Permission Model. (CVE-2025-55132)
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and
FD Leak. (CVE-2026-21637)
References
- https://bugs.mageia.org/show_bug.cgi?id=34995
- https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
- https://nodejs.org/en/blog/release/v22.22.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59465
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59466
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55130
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55131
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55132
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21637
SRPMS
9/core
- nodejs-22.22.0-1.mga9