Mageia 9: Critical Security Patch for Node.js Addressing MGASA-2026-0009
mageia
January 17, 2026
MGASA-2026-0009 - Updated nodejs packages fix security vulnerabilities
Summary
Description:
Node.js HTTP/2 server crashes with unhandled error when receiving
malformed HEADERS frame. (CVE-2025-59465)
Uncatchable "Maximum call stack size exceeded" error on Node.js via
async_hooks leads to process crashes bypassing error handlers.
(CVE-2025-59466)
Bypass File System Permissions using crafted symlinks. (CVE-2025-55130)
Timeout-based race conditions make Uint8Array/Buffer.alloc
non-zerofilled. (CVE-2025-55131)
fs.futimes() Bypasses Read-Only Permission Model. (CVE-2025-55132)
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and
FD Leak. (CVE-2026-21637)
References
- https://bugs.mageia.org/show_bug.cgi?id=34995
- https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
- https://nodejs.org/en/blog/release/v22.22.0
- https://www.cve.org/CVERecord?id=CVE-2025-59465
- https://www.cve.org/CVERecord?id=CVE-2025-59466
- https://www.cve.org/CVERecord?id=CVE-2025-55130
- https://www.cve.org/CVERecord?id=CVE-2025-55131
- https://www.cve.org/CVERecord?id=CVE-2025-55132
- https://www.cve.org/CVERecord?id=CVE-2026-21637
Topics Covered
Resolution
SRPMS
- 9/core/nodejs-22.22.0-1.mga9
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 17 Jan 2026
URL: https://advisories.mageia.org/MGASA-2026-0009.html
Type: security
CVE: CVE-2025-59465,
CVE-2025-59466,
CVE-2025-55130,
CVE-2025-55131,
CVE-2025-55132,
CVE-2026-21637
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!