corepack22-22.15.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16312 Final 1 1 2025-07-03T00:00:00Z current 2025-07-03T00:00:00Z 2025-07-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack22-22.15.1-1.1 on GA media These are all security issues fixed in the corepack22-22.15.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16312 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-23165/ SUSE CVE CVE-2025-23165 page https://www.suse.com/security/cve/CVE-2025-23166/ SUSE CVE CVE-2025-23166 page openSUSE Tumbleweed corepack22-22.15.1-1.1 nodejs22-22.15.1-1.1 nodejs22-devel-22.15.1-1.1 nodejs22-docs-22.15.1-1.1 npm22-22.15.1-1.1 corepack22-22.15.1-1.1 as a component of openSUSE Tumbleweed nodejs22-22.15.1-1.1 as a component of openSUSE Tumbleweed nodejs22-devel-22.15.1-1.1 as a component of openSUSE Tumbleweed nodejs22-docs-22.15.1-1.1 as a component of openSUSE Tumbleweed npm22-22.15.1-1.1 as a component of openSUSE Tumbleweed In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22. CVE-2025-23165 openSUSE Tumbleweed:corepack22-22.15.1-1.1 openSUSE Tumbleweed:nodejs22-22.15.1-1.1 openSUSE Tumbleweed:nodejs22-devel-22.15.1-1.1 openSUSE Tumbleweed:nodejs22-docs-22.15.1-1.1 openSUSE Tumbleweed:npm22-22.15.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-23165.html CVE-2025-23165 https://bugzilla.suse.com/1243217 SUSE Bug 1243217 The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. CVE-2025-23166 openSUSE Tumbleweed:corepack22-22.15.1-1.1 openSUSE Tumbleweed:nodejs22-22.15.1-1.1 openSUSE Tumbleweed:nodejs22-devel-22.15.1-1.1 openSUSE Tumbleweed:nodejs22-docs-22.15.1-1.1 openSUSE Tumbleweed:npm22-22.15.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-23166.html CVE-2025-23166 https://bugzilla.suse.com/1243218 SUSE Bug 1243218