corepack24-24.11.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15802-1 Final 1 1 2025-12-08T00:00:00Z current 2025-12-08T00:00:00Z 2025-12-08T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack24-24.11.1-2.1 on GA media These are all security issues fixed in the corepack24-24.11.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15802 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-21538/ SUSE CVE CVE-2024-21538 page https://www.suse.com/security/cve/CVE-2024-22018/ SUSE CVE CVE-2024-22018 page https://www.suse.com/security/cve/CVE-2024-22020/ SUSE CVE CVE-2024-22020 page https://www.suse.com/security/cve/CVE-2024-36137/ SUSE CVE CVE-2024-36137 page https://www.suse.com/security/cve/CVE-2024-36138/ SUSE CVE CVE-2024-36138 page https://www.suse.com/security/cve/CVE-2024-37372/ SUSE CVE CVE-2024-37372 page https://www.suse.com/security/cve/CVE-2025-22150/ SUSE CVE CVE-2025-22150 page https://www.suse.com/security/cve/CVE-2025-23083/ SUSE CVE CVE-2025-23083 page https://www.suse.com/security/cve/CVE-2025-23085/ SUSE CVE CVE-2025-23085 page https://www.suse.com/security/cve/CVE-2025-23165/ SUSE CVE CVE-2025-23165 page https://www.suse.com/security/cve/CVE-2025-23166/ SUSE CVE CVE-2025-23166 page openSUSE Tumbleweed corepack24-24.11.1-2.1 nodejs24-24.11.1-2.1 nodejs24-devel-24.11.1-2.1 nodejs24-docs-24.11.1-2.1 npm24-24.11.1-2.1 corepack24-24.11.1-2.1 as a component of openSUSE Tumbleweed nodejs24-24.11.1-2.1 as a component of openSUSE Tumbleweed nodejs24-devel-24.11.1-2.1 as a component of openSUSE Tumbleweed nodejs24-docs-24.11.1-2.1 as a component of openSUSE Tumbleweed npm24-24.11.1-2.1 as a component of openSUSE Tumbleweed Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. CVE-2024-21538 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-21538.html CVE-2024-21538 https://bugzilla.suse.com/1233843 SUSE Bug 1233843 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2024-22018 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22018.html CVE-2024-22018 https://bugzilla.suse.com/1227562 SUSE Bug 1227562 A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. CVE-2024-22020 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22020.html CVE-2024-22020 https://bugzilla.suse.com/1227554 SUSE Bug 1227554 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. CVE-2024-36137 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-36137.html CVE-2024-36137 https://bugzilla.suse.com/1227561 SUSE Bug 1227561 Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. CVE-2024-36138 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-36138.html CVE-2024-36138 https://bugzilla.suse.com/1227560 SUSE Bug 1227560 The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. CVE-2024-37372 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-37372.html CVE-2024-37372 https://bugzilla.suse.com/1227563 SUSE Bug 1227563 Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers. CVE-2025-22150 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22150.html CVE-2025-22150 https://bugzilla.suse.com/1236257 SUSE Bug 1236257 With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. CVE-2025-23083 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-23083.html CVE-2025-23083 https://bugzilla.suse.com/1236251 SUSE Bug 1236251 A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. CVE-2025-23085 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-23085.html CVE-2025-23085 https://bugzilla.suse.com/1236250 SUSE Bug 1236250 In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22. CVE-2025-23165 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-23165.html CVE-2025-23165 https://bugzilla.suse.com/1243217 SUSE Bug 1243217 The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. CVE-2025-23166 openSUSE Tumbleweed:corepack24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-devel-24.11.1-2.1 openSUSE Tumbleweed:nodejs24-docs-24.11.1-2.1 openSUSE Tumbleweed:npm24-24.11.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-23166.html CVE-2025-23166 https://bugzilla.suse.com/1243218 SUSE Bug 1243218