Node.js: Updated versions patch high-risk security vulnerabilities
New versions of Node.js fix partly high-risk security vulnerabilities in the JavaScript runtime environment.
(Image: Shutterstock/chanpipat)
Several security vulnerabilities, some classified as high-risk, have been discovered in the popular JavaScript runtime environment Node.js. Updated versions, announced in mid-December, have now been released to fix these weaknesses. Developers should ensure that the patched versions are deployed promptly.
In the announcement made on Tuesday of this week, the Node.js developers write that the updates address three high-risk, four medium-risk, and one low-risk vulnerability. Attackers can exploit these to execute injected malicious code, escalate their privileges, bypass security measures, and manipulate data or intercept confidential information, as CERT-Bund summarizes. Additionally, the security releases include updated dependencies to address publicly known vulnerabilities, specifically “c-ares” in version 1.34.6 and “undici” in versions 6.23.0 and 7.18.0.
High-Risk Security Vulnerabilities
In the program logic for allocating buffers, uninitialized memory can be exposed if the “vm” module is used with a timeout and the memory allocation is interrupted by it (CVE-2025-55131, CVSS 8.1, Risk “high”). Furthermore, the restrictions with the options --allow-fs-read and --allow-fs-write could be bypassed by concatenating relative symlink paths (CVE-2025-55130, CVSS 7.7, Risk “high”). A crafted “HTTP/2 HEADERS” frame with oversized and invalid “HPACK” data can cause Node.js to crash, leading to a denial-of-service (CVE-2025-59465, CVSS 7.5, Risk “high”).
Details on the medium-risk and low-risk vulnerabilities can be found in the Node.js developers' announcement. The vulnerabilities are no longer present in Node.js versions 25.3.0, 24.13.0, 22.22.0, and 20.20.0, as well as newer versions. Users should perform the updates promptly.
Videos by heise
Last September, a cryptocurrency thief gained access to a developer's npm account through a spearphishing attack-- npm is the package manager for Node.js packages. This allowed the malicious actor to inject malicious code into around 20 of the developer's packages, which collectively have over two billion weekly downloads.
(dmk)
