SB2026041721 - Red Hat Enterprise Linux 9 update for the nodejs:20 module

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Uncaught Exception (CVE-ID: CVE-2025-59465)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in the HTTP/2 server when receiving a malformed HEADERS frame with oversized invalid HPACK data. A remote attacker can send a specially crafted HTTP/2 HEADERS frame to cause a denial of service.

This primarily affects applications that do not attach explicit error handlers to secure sockets.

2) Race condition (CVE-ID: CVE-2025-55131)

The vulnerability allows a remote user to disclose sensitive information or corrupt data.

The vulnerability exists due to a race condition in buffer allocation logic when using the vm module with the timeout option. A remote user can influence workload and timeout behavior to disclose sensitive information or corrupt data.

Exploitation typically requires precise timing or in-process code execution.

3) Link following (CVE-ID: CVE-2025-55130)

The vulnerability allows a local user to read or modify arbitrary files outside the intended allowed path.

The vulnerability exists due to improper access control in the permission model path restriction handling when processing crafted relative symlink paths. A local user can chain directories and symlinks to read or modify arbitrary files outside the intended allowed path.

The issue affects use of the permission model with --allow-fs-read or --allow-fs-write restrictions.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2026:2767