openSUSE-SU-2026:20236-1

CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).
CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).
CVE-2025-55132: a file's access and modification timestamps can be changed via futimes() even when the process has only read permissions (bsc#1256571).
CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).
CVE-2025-59466: uncatchable "Maximum call stack size exceeded" error when async_hooks.createHook() is enabled can lead to crash (bsc#1256574).
CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).

For full changelog, please see https://nodejs.org/en/blog

References

Affected packages

openSUSE:Leap 16.0 / nodejs22

Package

Name: nodejs22
Purl: pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Leap%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.22.0-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "nodejs22": "22.22.0-160000.1.1",
            "npm22": "22.22.0-160000.1.1",
            "corepack22": "22.22.0-160000.1.1",
            "nodejs22-devel": "22.22.0-160000.1.1",
            "nodejs22-docs": "22.22.0-160000.1.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20236-1.json"