Security update for nodejs22

Announcement ID:	SUSE-SU-2026:20436-1
Release Date:	2026-02-15T09:26:17Z
Rating:	important
References:	bsc#1256569 bsc#1256570 bsc#1256571 bsc#1256573 bsc#1256574 bsc#1256576 bsc#1256848
Cross-References:	CVE-2025-55130 CVE-2025-55131 CVE-2025-55132 CVE-2025-59465 CVE-2025-59466 CVE-2026-21637 CVE-2026-22036
CVSS scores:	CVE-2025-55130 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-55130 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-55130 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-55130 ( NVD ): 7.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2025-55131 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-55131 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-55131 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2025-55132 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-55132 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-55132 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-55132 ( NVD ): 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVE-2025-59465 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-59465 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59465 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59466 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-59466 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59466 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59466 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21637 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-21637 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-21637 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21637 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-22036 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-22036 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22036 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-22036 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 16.0

An update that solves seven vulnerabilities can now be installed.

Description:

This update for nodejs22 fixes the following issues:

Update to 22.22.0:

• CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).
• CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).
• CVE-2025-55132: a file's access and modification timestamps can be changed via futimes() even when the process has only read permissions (bsc#1256571).
• CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).
• CVE-2025-59466: uncatchable "Maximum call stack size exceeded" error when async_hooks.createHook() is enabled can lead to crash (bsc#1256574).
• CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).
• CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).

For full changelog, please see https://nodejs.org/en/blog

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-287=1
• SUSE Linux Enterprise Server for SAP Applications 16.0
  zypper in -t patch SUSE-SLES-16.0-287=1

Package List:

• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • nodejs22-devel-22.22.0-160000.1.1
  • nodejs22-debuginfo-22.22.0-160000.1.1
  • npm22-22.22.0-160000.1.1
  • nodejs22-22.22.0-160000.1.1
  • corepack22-22.22.0-160000.1.1
  • nodejs22-debugsource-22.22.0-160000.1.1
• SUSE Linux Enterprise Server 16.0 (noarch)
  • nodejs22-docs-22.22.0-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
  • nodejs22-devel-22.22.0-160000.1.1
  • nodejs22-debuginfo-22.22.0-160000.1.1
  • npm22-22.22.0-160000.1.1
  • nodejs22-22.22.0-160000.1.1
  • corepack22-22.22.0-160000.1.1
  • nodejs22-debugsource-22.22.0-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
  • nodejs22-docs-22.22.0-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2025-55130.html
• https://www.suse.com/security/cve/CVE-2025-55131.html
• https://www.suse.com/security/cve/CVE-2025-55132.html
• https://www.suse.com/security/cve/CVE-2025-59465.html
• https://www.suse.com/security/cve/CVE-2025-59466.html
• https://www.suse.com/security/cve/CVE-2026-21637.html
• https://www.suse.com/security/cve/CVE-2026-22036.html
• https://bugzilla.suse.com/show_bug.cgi?id=1256569
• https://bugzilla.suse.com/show_bug.cgi?id=1256570
• https://bugzilla.suse.com/show_bug.cgi?id=1256571
• https://bugzilla.suse.com/show_bug.cgi?id=1256573
• https://bugzilla.suse.com/show_bug.cgi?id=1256574
• https://bugzilla.suse.com/show_bug.cgi?id=1256576
• https://bugzilla.suse.com/show_bug.cgi?id=1256848