Alpine: multiple nodejs packages: security update to 24.13.0-r0

medium Tenable Cloud Security Plugin ID 436785

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write`
restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted
access only to the current directory can escape the allowed path and read sensitive files. This breaks the
expected isolation guarantees and enables arbitrary file read/write, leading to potential system
compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
(CVE-2025-55130)

- A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are
interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers
allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data
from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data
corruption. While exploitation typically requires precise timing or in-process code execution, it can
become remotely exploitable when untrusted input influences workload and timeouts, leading to potential
confidentiality and integrity impact. (CVE-2025-55131)

- A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via
`futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply
the expected write-permission checks, which means file metadata can be modified in read-only directories.
This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of
logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
(CVE-2025-55132)

- We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become
uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching
`process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications
that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become
vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
(CVE-2025-59466)

Solution

Update the nodejs library and its related packages to version 24.13.0-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2025-55130

https://security.alpinelinux.org/vuln/CVE-2025-55131

https://security.alpinelinux.org/vuln/CVE-2025-55132

https://security.alpinelinux.org/vuln/CVE-2025-59466

Plugin Details

Severity: Medium

ID: 436785

Version: Revision 1.13

Type: Local

Published: 1/16/2026

Updated: 6/30/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

Percentile: 96.92

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-55130

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59466