<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for nodejs is now available for openEuler-20.03-LTS-SP4</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2026-2820</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2026-07-06</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2026-07-06</InitialReleaseDate>
		<CurrentReleaseDate>2026-07-06</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2026-07-06</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">nodejs security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for nodejs is now available for openEuler-20.03-LTS-SP4</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Node.js is a platform built on Chrome&amp;apos;s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on(&apos;secureConnection&apos;, socket =&gt; {
  socket.on(&apos;error&apos;, err =&gt; {
    console.log(err)
  })
})
```(CVE-2025-59465)

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.(CVE-2026-21637)

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.(CVE-2026-21714)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for nodejs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3.

openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">nodejs</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2820</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-59465</URL>
			<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21637</URL>
			<URL>https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21714</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2025-59465</URL>
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2026-21637</URL>
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2026-21714</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-20.03-LTS-SP4" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">openEuler-20.03-LTS-SP4</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="aarch64">
			<FullProductName ProductID="nodejs-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-12.22.11-11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-debuginfo-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-debuginfo-12.22.11-11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-debugsource-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-debugsource-12.22.11-11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-devel-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-devel-12.22.11-11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-full-i18n-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-full-i18n-12.22.11-11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-libs-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-libs-12.22.11-11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="npm-6.14.16-1.12.22.11.11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">npm-6.14.16-1.12.22.11.11.oe2003sp4.aarch64.rpm</FullProductName>
			<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">v8-devel-7.8.279.23-1.12.22.11.11.oe2003sp4.aarch64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="nodejs-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-12.22.11-11.oe2003sp4.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="x86_64">
			<FullProductName ProductID="nodejs-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-12.22.11-11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-debuginfo-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-debuginfo-12.22.11-11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-debugsource-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-debugsource-12.22.11-11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-devel-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-devel-12.22.11-11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-full-i18n-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-full-i18n-12.22.11-11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="nodejs-libs-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-libs-12.22.11-11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="npm-6.14.16-1.12.22.11.11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">npm-6.14.16-1.12.22.11.11.oe2003sp4.x86_64.rpm</FullProductName>
			<FullProductName ProductID="v8-devel-7.8.279.23-1.12.22.11.11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">v8-devel-7.8.279.23-1.12.22.11.11.oe2003sp4.x86_64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="noarch">
			<FullProductName ProductID="nodejs-docs-12.22.11-11" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP4">nodejs-docs-12.22.11-11.oe2003sp4.noarch.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on(&apos;secureConnection&apos;, socket =&gt; {
  socket.on(&apos;error&apos;, err =&gt; {
    console.log(err)
  })
})
```</Note>
		</Notes>
		<ReleaseDate>2026-07-06</ReleaseDate>
		<CVE>CVE-2025-59465</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP4</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.5</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>nodejs security update</Description>
				<DATE>2026-07-06</DATE>
				<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2820</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
	<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.</Note>
		</Notes>
		<ReleaseDate>2026-07-06</ReleaseDate>
		<CVE>CVE-2026-21637</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP4</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.5</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>nodejs security update</Description>
				<DATE>2026-07-06</DATE>
				<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2820</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
	<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.</Note>
		</Notes>
		<ReleaseDate>2026-07-06</ReleaseDate>
		<CVE>CVE-2026-21714</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP4</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>Medium</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>5.3</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>nodejs security update</Description>
				<DATE>2026-07-06</DATE>
				<URL>https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2820</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>