Sync security vulnerabilities (#1542)

Author: nodejs-github-bot

vuln/core/156.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-55130"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "FS Permissions Bypass",
+  "overview": "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
+}

vuln/core/157.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-55131"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled",
+  "overview": "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
+}

vuln/core/158.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-55132"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "fs.futimes() Bypasses Read-Only Permission Model",
+  "overview": "A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "low"
+}

vuln/core/159.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-59464"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "Memory leak that enables remote Denial of Service against applications processing TLS client certificates",
+  "overview": "A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}

vuln/core/160.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-59465"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame",
+  "overview": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\n  socket.on('error', err => {\n    console.log(err)\n  })\n})\n```",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
+}

vuln/core/161.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-59466"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "Uncatchable \"Maximum call stack size exceeded\" error on Node.js via async_hooks leads to process crashes bypassing error handlers",
+  "overview": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}

vuln/core/162.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21636"
+  ],
+  "vulnerable": "25.x",
+  "patched": "^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)",
+  "overview": "A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.\n\n* The issue affects users of the Node.js permission model on version v25.\n\nIn the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.\n",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}

vuln/core/163.json

@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21637"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
+  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
+  "description": "TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak",
+  "overview": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}