SUSE update for nodejs20



Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2025-22150
CVE-2025-23083
CVE-2025-23085
CWE-ID CWE-330
CWE-264
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software
Web and Scripting Module
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15
Operating systems & Components / Operating system

nodejs20-docs
Operating systems & Components / Operating system package or component

nodejs20-debuginfo
Operating systems & Components / Operating system package or component

nodejs20
Operating systems & Components / Operating system package or component

nodejs20-devel
Operating systems & Components / Operating system package or component

corepack20
Operating systems & Components / Operating system package or component

nodejs20-debugsource
Operating systems & Components / Operating system package or component

npm20
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Use of insufficiently random values

EUVDB-ID: #VU103227

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-22150

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the application uses "Math.random()" from the fetch() function to choose the boundary for a "multipart/form-data" request. A remote attacker with ability to intercept traffic can tamper with the requests going to the backend APIs.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

nodejs20-docs: before 20.18.2-150600.3.9.1

nodejs20-debuginfo: before 20.18.2-150600.3.9.1

nodejs20: before 20.18.2-150600.3.9.1

nodejs20-devel: before 20.18.2-150600.3.9.1

corepack20: before 20.18.2-150600.3.9.1

nodejs20-debugsource: before 20.18.2-150600.3.9.1

npm20: before 20.18.2-150600.3.9.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250237-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU103222

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-23083

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions when handling diagnostics data with diagnostics_channel utility. A remote user can hook the utility to internal workers and gain access to sensitive information.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

nodejs20-docs: before 20.18.2-150600.3.9.1

nodejs20-debuginfo: before 20.18.2-150600.3.9.1

nodejs20: before 20.18.2-150600.3.9.1

nodejs20-devel: before 20.18.2-150600.3.9.1

corepack20: before 20.18.2-150600.3.9.1

nodejs20-debugsource: before 20.18.2-150600.3.9.1

npm20: before 20.18.2-150600.3.9.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250237-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU103225

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-23085

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when a remote peer abruptly closes the socket without sending a GOAWAY notification. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

nodejs20-docs: before 20.18.2-150600.3.9.1

nodejs20-debuginfo: before 20.18.2-150600.3.9.1

nodejs20: before 20.18.2-150600.3.9.1

nodejs20-devel: before 20.18.2-150600.3.9.1

corepack20: before 20.18.2-150600.3.9.1

nodejs20-debugsource: before 20.18.2-150600.3.9.1

npm20: before 20.18.2-150600.3.9.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250237-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###