Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN111 _____________________________________________________________________ DATE : 03/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Node.js and OpenSSL versions 3.0, 3.5. ===================================================================== https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026 _____________________________________________________________________ OpenSSL Security Advisory Assessment, January 2026 TNJP The Node.js Project OpenSSL Security Advisory Assessment, January 2026 Summary The OpenSSL project released a security advisory that includes 12 CVEs. After assessment, we have concluded that three CVEs affect Node.js (severity Low to Moderate). Given the limited attack surface, the OpenSSL updates will be included in upcoming regular Node.js releases rather than dedicated security releases. Analysis All three vulnerabilities relate to how Node.js processes PFX (PKCS#12) certificate files, which are used when configuring TLS connections via the pfx option. An attacker would need to provide a specially crafted PFX file to trigger any of these issues. Since PFX files typically come from trusted local sources (e.g., your own private keys and certificates), the attack surface is limited in practice. CVE-2025-11187: Stack buffer overflow in PBMAC1 MAC verification - Moderate Branch OpenSSL Version Affected v20.x 3.0.15 No v22.x 3.5.4 Yes v24.x 3.5.4 Yes v25.x 3.5.4 Yes main 3.5.4 Yes OpenSSL 3.0 (used by v20.x) does not support PBMAC1 and is therefore not affected. CVE-2025-69421: NULL pointer dereference in PKCS12_item_decrypt_d2i_ex() - Low Branch OpenSSL Version Affected v20.x 3.0.15 Yes v22.x 3.5.4 Yes v24.x 3.5.4 Yes v25.x 3.5.4 Yes main 3.5.4 Yes This function is called internally by PKCS12_parse(). All branches are affected. CVE-2026-22795: Type confusion during PKCS#12 parsing - Low Branch OpenSSL Version Affected v20.x 3.0.15 Yes v22.x 3.5.4 Yes v24.x 3.5.4 Yes v25.x 3.5.4 Yes main 3.5.4 Yes Both OpenSSL 3.0 and 3.5 are vulnerable. All branches are affected. CVEs that do not affect Node.js The following 9 CVEs do not affect Node.js on any branch: CVE-2025-15467 (High, CMS AuthEnvelopedData): Node.js does not use CMS APIs. CVE-2025-15468 (Low, SSL_CIPHER_find + QUIC): Node.js never calls SSL_CIPHER_find(). CVE-2025-15469 (Low, openssl dgst truncation): Command-line tool only. CVE-2025-66199 (Low, TLS 1.3 CompressedCertificate): Node.js builds with OPENSSL_NO_COMP on all branches, so certificate compression is disabled. CVE-2025-68160 (Low, BIO_f_linebuffer): Node.js does not use this BIO filter. CVE-2025-69418 (Low, low-level OCB): Node.js uses the EVP API, which the advisory confirms avoids the vulnerable path. CVE-2025-69419 (Low, PKCS12_get_friendlyname): Node.js does not call this function; the advisory notes PKCS12_parse() uses a separate safe path. CVE-2025-69420 (Low, TS_RESP_verify_response): Node.js does not use timestamp protocol APIs. CVE-2026-22796 (Low, PKCS7_digest_from_attributes): Node.js does not call PKCS#7 signature verification APIs. Contact and future updates The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security, including information on how to report a vulnerability in Node.js. Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================