{"schema_version":"1.7.2","id":"OESA-2026-2820","modified":"2026-07-06T06:26:40Z","published":"2026-07-06T06:26:40Z","upstream":["CVE-2025-59465","CVE-2026-21637","CVE-2026-21714"],"summary":"nodejs security update","details":"Node.js is a platform built on Chrome&amp;apos;s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\n\nA malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(&apos;secureConnection&apos;, socket =&gt; {\n  socket.on(&apos;error&apos;, err =&gt; {\n    console.log(err)\n  })\n})\n```(CVE-2025-59465)\n\nA flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.(CVE-2026-21637)\n\nA memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\n\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.(CVE-2026-21714)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"nodejs","purl":"pkg:rpm/openEuler/nodejs&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.22.11-11.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["nodejs-12.22.11-11.oe2003sp4.aarch64.rpm","nodejs-debuginfo-12.22.11-11.oe2003sp4.aarch64.rpm","nodejs-debugsource-12.22.11-11.oe2003sp4.aarch64.rpm","nodejs-devel-12.22.11-11.oe2003sp4.aarch64.rpm","nodejs-full-i18n-12.22.11-11.oe2003sp4.aarch64.rpm","nodejs-libs-12.22.11-11.oe2003sp4.aarch64.rpm","npm-6.14.16-1.12.22.11.11.oe2003sp4.aarch64.rpm","v8-devel-7.8.279.23-1.12.22.11.11.oe2003sp4.aarch64.rpm"],"noarch":["nodejs-docs-12.22.11-11.oe2003sp4.noarch.rpm"],"src":["nodejs-12.22.11-11.oe2003sp4.src.rpm"],"x86_64":["nodejs-12.22.11-11.oe2003sp4.x86_64.rpm","nodejs-debuginfo-12.22.11-11.oe2003sp4.x86_64.rpm","nodejs-debugsource-12.22.11-11.oe2003sp4.x86_64.rpm","nodejs-devel-12.22.11-11.oe2003sp4.x86_64.rpm","nodejs-full-i18n-12.22.11-11.oe2003sp4.x86_64.rpm","nodejs-libs-12.22.11-11.oe2003sp4.x86_64.rpm","npm-6.14.16-1.12.22.11.11.oe2003sp4.x86_64.rpm","v8-devel-7.8.279.23-1.12.22.11.11.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2820"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59465"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21637"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21714"}],"database_specific":{"severity":"High"}}
