Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN026
_____________________________________________________________________

DATE                : 14/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Node.js versions prior to
                        20.20.0, 22.22.0, 24.13.0, 25.3.0.

=====================================================================
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
_____________________________________________________________________

Tuesday, January 13, 2026 Security Releases
TNJP      The Node.js Project

Security releases available

Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js
release lines to address:

    3 high severity issues.
    4 medium severity issues.
    1 low severity issue.

This security release includes the following dependency updates to
address public vulnerabilities:

    c-ares (1.34.6) on 20.x, 22.x, 24.x, 25.x
    undici (6.23.0, 7.18.0) on 20.x, 22.x, 24.x, 25.x


Timeout-based race conditions make Uint8Array/Buffer.alloc
non-zerofilled (CVE-2025-55131) - (High)

A flaw in Node.js's buffer allocation logic can expose uninitialized
memory when allocations are interrupted, when using the vm module with
the timeout option. Under specific timing conditions, buffers
allocated with Buffer.alloc and other TypedArray instances like
Uint8Array may contain leftover data from previous operations,
allowing in-process secrets like tokens or passwords to leak or
causing data corruption.

While exploitation typically requires precise timing or in-process
code execution, it can become remotely exploitable when untrusted
input influences workload and timeouts, leading to potential
confidentiality and integrity impact.

Impact:

    This vulnerability affects all users in active release lines:
20.x, 22.x, 24.x, 25.x

Thank you, to Nikita Skovoroda for reporting and fixing this
vulnerability.


Bypass File System Permissions using crafted symlinks
(CVE-2025-55130) - (High)

A flaw in Node.js’s Permissions model allows attackers to
bypass --allow-fs-read and --allow-fs-write restrictions using
crafted relative symlink paths. By chaining directories and
symlinks, a script granted access only to the current directory
can escape the allowed path and read sensitive files. This
breaks the expected isolation guarantees and enables arbitrary
file read/write, leading to potential system compromise.

Impact:

    This vulnerability affects users of the permission model on
Node.js v20, v22, v24, and v25.

Thank you, to natann for reporting this vulnerability and thank
you RafaelGSS for fixing it.
Node.js HTTP/2 server crashes with unhandled error when receiving
malformed HEADERS frame (CVE-2025-59465) - (High)

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK
data can cause Node.js to crash by triggering an unhandled
TLSSocket error ECONNRESET. Instead of safely closing the
connection, the process crashes, enabling a remote denial of
service. This primarily affects applications that do not
attach explicit error handlers to secure sockets, for example:

server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err);
  });
});

JavaScript

Impact:

    This vulnerability affects all users in active release lines:
20.x, 22.x, 24.x, 25.x

Thank you, to dantt for reporting this vulnerability and thank you
RafaelGSS for fixing it.


Uncatchable "Maximum call stack size exceeded" error on Node.js via
async_hooks leads to process crashes bypassing error handlers
(CVE-2025-59466) - (Medium)

We have identified a bug in Node.js error handling where "Maximum
call stack size exceeded" errors become uncatchable when
async_hooks.createHook() is enabled. Instead of reaching
process.on('uncaughtException'), the process terminates, making
the crash unrecoverable. Applications that rely on
AsyncLocalStorage (v22, v20) or
async_hooks.createHook() (v24, v22, v20) become vulnerable to
denial-of-service crashes triggered by deep recursion under
specific conditions.

Impact:

    This vulnerability affects all users in active release lines:
20.x, 22.x, 24.x, 25.x

Thank you, to Andrew MacPherson (AndrewMohawk) for identifying
& aaron_vercel for reporting this vulnerability and thank you
mcollina for fixing it.


Memory leak that enables remote Denial of Service against
applications processing TLS client certificates
(CVE-2025-59464) - (Medium)

A memory leak in Node.js’s OpenSSL integration occurs when
converting X.509 certificate fields to UTF-8 without freeing
the allocated buffer. When applications call
socket.getPeerCertificate(true), each certificate field leaks
memory, allowing remote clients to trigger steady memory
growth through repeated TLS connections. Over time this can
lead to resource exhaustion and denial of service.

Impact:

    This vulnerability affects all users in active release
lines: 20.x, 22.x, 24.x

Thank you, to giant_anteater for reporting this vulnerability
and thank you RafaelGSS for fixing it.


Node.js permission model bypass via unchecked Unix Domain Socket
connections (UDS) (CVE-2026-21636) - (Medium)

A flaw in Node.js's permission model allows Unix Domain Socket
(UDS) connections to bypass network restrictions when --permission
is enabled. Even without --allow-net, attacker-controlled inputs
(such as URLs or socketPath options) can connect to arbitrary
local sockets via net, tls, or undici/fetch. This breaks the
intended security boundary of the permission model and enables
access to privileged local services, potentially leading to
privilege escalation, data exposure, or local code execution.

In the moment of this vulnerability, network permissions
(--allow-net) are still in the experimental phase.

Impact:

    The issue affects users of the Node.js permission model
on version v25.

Thank you, to mufeedvh for reporting this vulnerability and
thank you RafaelGSS for fixing it.


TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing
DoS and FD Leak (CVE-2026-21637) - (Medium)

A flaw in Node.js TLS error handling allows remote attackers to
crash or exhaust resources of a TLS server when pskCallback or
ALPNCallback are in use. Synchronous exceptions thrown during
these callbacks bypass standard TLS error handling paths
(tlsClientError and error), causing either immediate process
termination or silent file descriptor leaks that eventually lead
to denial of service. Because these callbacks process
attacker-controlled input during the TLS handshake, a remote
client can repeatedly trigger the issue.

Impact:

    This vulnerability affects TLS servers using PSK or ALPN
callbacks across Node.js versions where these callbacks throw
without being safely wrapped.

Thank you, to 0xmaxhax for reporting this vulnerability and
thank you mcollina for fixing it.


fs.futimes() Bypasses Read-Only Permission Model
(CVE-2025-55132) - (Low)

A flaw in Node.js's permission model allows a file's access and
modification timestamps to be changed via futimes() even when
the process has only read permissions.

Unlike utimes(), futimes() does not apply the expected
write-permission checks, which means file metadata can be
modified in read-only directories. This behavior could be
used to alter timestamps in ways that obscure activity,
reducing the reliability of logs.

Impact:

    This vulnerability affects users of the permission model on
Node.js v20, v22, v24, and v25.

Thank you, to oriotie for reporting this vulnerability and
thank you RafaelGSS for fixing it.


Downloads and release details

    Node.js 20.20.0
    Node.js 22.22.0
    Node.js 24.13.0
    Node.js 25.3.0


Summary

The Node.js project will release new versions of the 25.x, 24.x,
22.x, 20.x releases lines on or shortly after,
Monday, December 15, 2025 in order to address:

    3 high severity issues.
    1 low severity issue.
    1 medium severity issue.


Impact

The 25.x release line of Node.js is vulnerable to 3 high severity
issues, 1 low severity issue. The 24.x release line of Node.js is
vulnerable to 3 high severity issues, 1 low severity issue, 1
medium severity issue. The 22.x release line of Node.js is
vulnerable to 3 high severity issues, 1 low severity issue,
1 medium severity issue. The 20.x release line of Node.js is
vulnerable to 3 high severity issues, 1 low severity issue,
1 medium severity issue.

It's important to note that End-of-Life versions are always
affected when a security release occurs. To ensure your
system's security, please use an up-to-date version as
outlined in our Release Schedule.


Release timing

Releases will be available on, or shortly after, Monday, December 15, 2025.
Contact and future updates

The current Node.js security policy can be found at
https://nodejs.org/en/security/. Please follow the process outlined in
https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to
report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list
at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to
date on security vulnerabilities and security-related releases of
Node.js and the projects maintained in the nodejs GitHub
organization.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================