SB2026013104 - Fedora EPEL 10.2 update for node-exporter

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Protection Mechanism Failure (CVE-ID: CVE-2025-47910)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures in http.CrossOriginProtection. The AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. An attacker can bypass implemented security restrictions.

2) Input validation error (CVE-ID: CVE-2025-47906)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of the PATH environment variable in LookPath. A local user can pass specially crafted strings to the application and execute arbitrary OS commands with elevated privileges. 

3) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)

The vulnerability allows a remote attacker to perform spoofing attacks.

The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack. 

4) Resource exhaustion (CVE-ID: CVE-2025-61723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.

5) Resource exhaustion (CVE-ID: CVE-2025-58185)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.

6) Input validation error (CVE-ID: CVE-2025-58188)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in crypto/x509 due to an error when validating certificate chains which contain DSA public keys. A remote attacker can pass a specially crafted certificate to the application and crash it.

7) UNIX symbolic link following (CVE-ID: CVE-2025-52881)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue related to procfs write redirects. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-16236dd947