SUSE Package Hub - SUSE-PackageHub-16.0-541

Update Info

SUSE-PackageHub-16.0-541

Security update for nodejs24

Type: security
Severity: important
Issued: 2026-04-13
Description:
This update for nodejs24 fixes the following issues:

Update to version 24.14.1.

Security issues fixed:

- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for
  performance degradation via a crafted request (bsc#1260494).
- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file
  permissions and ownership on already-open file descriptors (bsc#1260462).
- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and
  filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).
- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent
  on stream 0 (bsc#1260480).
- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and
  potential MAC forgery (bsc#1260463).
- CVE-2026-21712: assertion error caused by flaw in URL processing allows for a process crash via a URL with a
  malformed IDN (bsc#1260460).
- CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a
  header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).
- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or
  `ALPNCallback` are in use (bsc#1256576).
- CVE-2025-59464: memory leak allows for remote denial of service against applications processing TLS client
  certificates (bsc#1256572).

Other updates and bugfixes:

- Version 24.14.0:
  * async_hooks: add trackPromises option to createHook()
  * build,deps: replace cjs-module-lexer with merve
  * deps: add LIEF as a dependency
  * events: repurpose events.listenerCount() to accept EventTargets
  * fs: add ignore option to fs.watch
  * http: add http.setGlobalProxyFromEnv()
  * module: allow subpath imports that start with #/
  * process: preserve AsyncLocalStorage in queueMicrotask only when needed
  * sea: split sea binary manipulation code
  * sqlite: enable defensive mode by default
  * sqlite: add sqlite prepare options args
  * src: add initial support for ESM in embedder API
  * stream: add bytes() method to node:stream/consumers
  * stream: do not pass readable.compose() output via Readable.from()
  * test: use fixture directories for sea tests
  * test_runner: add env option to run function
  * test_runner: support expecting a test-case to fail
  * util: add convertProcessSignalToExitCode utility
  * For details, see https://nodejs.org/en/blog/release/v24.14.0
References

Packages

nodejs24-24.14.1-160000.1.1