SUSE update for nodejs18



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2025-22150
CVE-2025-23085
CWE-ID CWE-330
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software
SUSE Linux Enterprise Server 12 SP5 LTSS Extended
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 12 SP5
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications 12
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 12
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 12
Operating systems & Components / Operating system

nodejs18-docs
Operating systems & Components / Operating system package or component

nodejs18-devel
Operating systems & Components / Operating system package or component

npm18
Operating systems & Components / Operating system package or component

nodejs18
Operating systems & Components / Operating system package or component

nodejs18-debuginfo
Operating systems & Components / Operating system package or component

nodejs18-debugsource
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Use of insufficiently random values

EUVDB-ID: #VU103227

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-22150

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the application uses "Math.random()" from the fetch() function to choose the boundary for a "multipart/form-data" request. A remote attacker with ability to intercept traffic can tamper with the requests going to the backend APIs.

Mitigation

Update the affected package nodejs18 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security

SUSE Linux Enterprise Server 12 SP5: LTSS

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

nodejs18-docs: before 18.20.6-8.33.1

nodejs18-devel: before 18.20.6-8.33.1

npm18: before 18.20.6-8.33.1

nodejs18: before 18.20.6-8.33.1

nodejs18-debuginfo: before 18.20.6-8.33.1

nodejs18-debugsource: before 18.20.6-8.33.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250234-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU103225

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-23085

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when a remote peer abruptly closes the socket without sending a GOAWAY notification. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package nodejs18 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security

SUSE Linux Enterprise Server 12 SP5: LTSS

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

nodejs18-docs: before 18.20.6-8.33.1

nodejs18-devel: before 18.20.6-8.33.1

npm18: before 18.20.6-8.33.1

nodejs18: before 18.20.6-8.33.1

nodejs18-debuginfo: before 18.20.6-8.33.1

nodejs18-debugsource: before 18.20.6-8.33.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250234-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###