Alpine: multiple nodejs packages: security update to 22.13.1-r0

medium Tenable Cloud Security Plugin ID 424223

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3,
undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the
output of `Math.random()` can be predicted if several of its generated values are known. If there is a
mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to
leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs
if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do
not issue multipart requests to attacker controlled servers. (CVE-2025-22150)

- With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is
created. This is not limited only to workers but also exposes internal workers, where an instance of them
can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability
affects Permission Model users (--permission) on Node.js v20, v22, and v23. (CVE-2025-23083)

- A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the
Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a
result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a
path that does not start with the file separator is treated as relative to the current directory. This
vulnerability affects Windows users of `path.join` API. (CVE-2025-23084)

- A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY
notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be
terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption
and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users
on Node.js v18.x, v20.x, v22.x and v23.x. (CVE-2025-23085)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-22150

https://security.alpinelinux.org/vuln/CVE-2025-23083

https://security.alpinelinux.org/vuln/CVE-2025-23084

https://security.alpinelinux.org/vuln/CVE-2025-23085

Plugin Details

Severity: Medium

ID: 424223

Version: Revision 1.11

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.2

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-22150

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2025-23084

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/21/2025

Reference Information

CVE: CVE-2025-22150, CVE-2025-23083, CVE-2025-23084, CVE-2025-23085