{"affected":[{"ecosystem_specific":{"binaries":[{"corepack22":"22.22.0-160000.1.1","nodejs22":"22.22.0-160000.1.1","nodejs22-devel":"22.22.0-160000.1.1","nodejs22-docs":"22.22.0-160000.1.1","npm22":"22.22.0-160000.1.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 16.0","name":"nodejs22","purl":"pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"22.22.0-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"corepack22":"22.22.0-160000.1.1","nodejs22":"22.22.0-160000.1.1","nodejs22-devel":"22.22.0-160000.1.1","nodejs22-docs":"22.22.0-160000.1.1","npm22":"22.22.0-160000.1.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP applications 16.0","name":"nodejs22","purl":"pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"22.22.0-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for nodejs22 fixes the following issues:\n\nUpdate to 22.22.0:\n\n- CVE-2025-55130: file system permissions bypass via crafted symlinks (bsc#1256569).\n- CVE-2025-55131: timeout-based race conditions allow for allocations that contain leftover data from previous operations and lead to exposure of in-process secrets (bsc#1256570).\n- CVE-2025-55132: a file's access and modification timestamps can be changed via `futimes()` even when the process has only read permissions (bsc#1256571).\n- CVE-2025-59465: malformed HTTP/2 HEADERS frame with invalid HPACK data can cause a crash due to an unhandled error (bsc#1256573).\n- CVE-2025-59466: uncatchable \"Maximum call stack size exceeded\" error when `async_hooks.createHook()` is enabled can lead to crash (bsc#1256574).\n- CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576).\n- CVE-2026-22036: undici: unbounded decompression chain in HTTP responses via Content-Encoding may lead to resource exhaustion (bsc#1256848).\n\nFor full changelog, please see https://nodejs.org/en/blog\n","id":"SUSE-SU-2026:20436-1","modified":"2026-02-15T08:45:21Z","published":"2026-02-15T08:45:21Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-202620436-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256569"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256570"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256571"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256573"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256574"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256576"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256848"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-55130"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-55131"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-55132"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-59465"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-59466"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-21637"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-22036"}],"related":["CVE-2025-55130","CVE-2025-55131","CVE-2025-55132","CVE-2025-59465","CVE-2025-59466","CVE-2026-21637","CVE-2026-22036"],"summary":"Security update for nodejs22","upstream":["CVE-2025-55130","CVE-2025-55131","CVE-2025-55132","CVE-2025-59465","CVE-2025-59466","CVE-2026-21637","CVE-2026-22036"]}