{"id":"MGASA-2026-0009","summary":"Updated nodejs packages fix security vulnerabilities","details":"Node.js HTTP/2 server crashes with unhandled error when receiving\nmalformed HEADERS frame. (CVE-2025-59465)\nUncatchable \"Maximum call stack size exceeded\" error on Node.js via\nasync_hooks leads to process crashes bypassing error handlers.\n(CVE-2025-59466)\nBypass File System Permissions using crafted symlinks. (CVE-2025-55130)\nTimeout-based race conditions make Uint8Array/Buffer.alloc\nnon-zerofilled. (CVE-2025-55131)\nfs.futimes() Bypasses Read-Only Permission Model. (CVE-2025-55132)\nTLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and\nFD Leak. (CVE-2026-21637)\n","modified":"2026-04-16T00:09:50.550934082Z","published":"2026-01-17T02:48:20Z","upstream":["CVE-2025-55130","CVE-2025-55131","CVE-2025-55132","CVE-2025-59465","CVE-2025-59466","CVE-2026-21637"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0009.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34995"},{"type":"WEB","url":"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"},{"type":"WEB","url":"https://nodejs.org/en/blog/release/v22.22.0"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/nodejs?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.22.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0009.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}