Security update for nodejs22

Announcement ID:	SUSE-SU-2026:0301-1
Release Date:	2026-01-27T08:20:47Z
Rating:	important
References:	bsc#1256569 bsc#1256570 bsc#1256571 bsc#1256573 bsc#1256574 bsc#1256576 bsc#1256848
Cross-References:	CVE-2025-55130 CVE-2025-55131 CVE-2025-55132 CVE-2025-59465 CVE-2025-59466 CVE-2026-21637 CVE-2026-22036
CVSS scores:	CVE-2025-55130 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-55130 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-55130 ( NVD ): 7.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2025-55131 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-55131 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-55131 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2025-55132 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-55132 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-55132 ( NVD ): 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVE-2025-59465 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-59465 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59465 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59466 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-59466 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-59466 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21637 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-21637 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-21637 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-22036 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-22036 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22036 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-22036 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Web and Scripting Module 15-SP7

An update that solves seven vulnerabilities can now be installed.

Description:

This update for nodejs22 fixes the following issues:

Security fixes:

• CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion (bsc#1256848)
• CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass TLS error handling and causing denial of service (bsc#1256576)
• CVE-2025-55132: Fixed futimes() ability to acces file even if process has read permissions only (bsc#1256571)
• CVE-2025-55131: Fixed race condition that allowed allocations with leftover data leading to in-process secrets exposure (bsc#1256570)
• CVE-2025-55130: Fixed filesystem permissions bypass via crafted symlinks (bsc#1256569)
• CVE-2025-59465: Fixed malformed HTTP/2 HEADERS frame with invalid HPACK leading to crash (bsc#1256573)
• CVE-2025-59466: Fixed uncatchable "Maximum call stack size exceeded" error leading to crash (bsc#1256574)

Other fixes:

• Update to 22.22.0:
• deps: updated undici to 6.23.0
• deps: updated bundled c-ares to 1.34.6 (if used)
• add TLSSocket default error handler
• disable futimes when permission model is enabled
• require full read and write to symlink APIs
• rethrow stack overflow exceptions in async_hooks
• refactor unsafe buffer creation to remove zero-fill toggle

• route callback exceptions through error handlers

• Update to 22.21.1:

• src: avoid unnecessary string -> char* -> string round trips
• src: remove unnecessary shadowed functions on Utf8Value & BufferValue
• process: fix hrtime fast call signatures

• http: improve writeEarlyHints by avoiding for-of loop

• Update to 22.21.0:

• cli: add --use-env-proxy
• http: support http proxy for fetch under NODE_USE_ENV_PROXY
• http: add shouldUpgradeCallback to let servers control HTTP upgrades
• http,https: add built-in proxy support in http/https.request and Agent

• src: add percentage support to --max-old-space-size

• Update to 22.20.0

• doc: stabilize --disable-sigusr1
• doc: mark path.matchesGlob as stable
• http: add Agent.agentKeepAliveTimeoutBuffer option
• http2: add support for raw header arrays in h2Stream.respond()
• inspector: add http2 tracking support
• sea: implement execArgvExtension
• sea: support execArgv in sea config
• stream: add brotli support to CompressionStream and DecompressionStream
• test_runner: support object property mocking

• worker: add cpu profile APIs for worker

• Update to 22.19.0

• cli: add NODE_USE_SYSTEM_CA=1
• cli: support ${pid} placeholder in --cpu-prof-name
• crypto: add tls.setDefaultCACertificates()
• dns: support max timeout
• doc: update the instruction on how to verify releases
• esm: unflag --experimental-wasm-modules
• http: add server.keepAliveTimeoutBuffer option
• lib: docs deprecate http*
• net: update net.blocklist to allow file save and file management
• process: add threadCpuUsage

• zlib: add dictionary support to zstdCompress and zstdDecompress

• Update to 22.18.0:

• deps: update amaro to 1.1.0
• doc: add all watch-mode related flags to node.1
• doc: add islandryu to collaborators
• esm: implement import.meta.main
• fs: allow correct handling of burst in fs-events with AsyncIterator
• permission: propagate permission model flags on spawn
• sqlite: add support for readBigInts option in db connection level
• src,permission: add support to permission.has(addon)
• url: add fileURLToPathBuffer API
• watch: add --watch-kill-signal flag
• worker: make Worker async disposable

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2026-301=1

Package List:

• Web and Scripting Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • npm22-22.22.0-150700.3.6.1
  • nodejs22-22.22.0-150700.3.6.1
  • nodejs22-devel-22.22.0-150700.3.6.1
  • nodejs22-debugsource-22.22.0-150700.3.6.1
  • nodejs22-debuginfo-22.22.0-150700.3.6.1
• Web and Scripting Module 15-SP7 (noarch)
  • nodejs22-docs-22.22.0-150700.3.6.1

References:

• https://www.suse.com/security/cve/CVE-2025-55130.html
• https://www.suse.com/security/cve/CVE-2025-55131.html
• https://www.suse.com/security/cve/CVE-2025-55132.html
• https://www.suse.com/security/cve/CVE-2025-59465.html
• https://www.suse.com/security/cve/CVE-2025-59466.html
• https://www.suse.com/security/cve/CVE-2026-21637.html
• https://www.suse.com/security/cve/CVE-2026-22036.html
• https://bugzilla.suse.com/show_bug.cgi?id=1256569
• https://bugzilla.suse.com/show_bug.cgi?id=1256570
• https://bugzilla.suse.com/show_bug.cgi?id=1256571
• https://bugzilla.suse.com/show_bug.cgi?id=1256573
• https://bugzilla.suse.com/show_bug.cgi?id=1256574
• https://bugzilla.suse.com/show_bug.cgi?id=1256576
• https://bugzilla.suse.com/show_bug.cgi?id=1256848