Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write`
restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted
access only to the current directory can escape the allowed path and read sensitive files. This breaks the
expected isolation guarantees and enables arbitrary file read/write, leading to potential system
compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
(CVE-2025-55130)
- A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are
interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers
allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data
from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data
corruption. While exploitation typically requires precise timing or in-process code execution, it can
become remotely exploitable when untrusted input influences workload and timeouts, leading to potential
confidentiality and integrity impact. (CVE-2025-55131)
- A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via
`futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply
the expected write-permission checks, which means file metadata can be modified in read-only directories.
This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of
logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
(CVE-2025-55132)
- A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by
triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the
process crashes, enabling a remote denial of service. This primarily affects applications that do not
attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket =>
{ socket.on('error', err => { console.log(err) }) }) ``` (CVE-2025-59465)
Solution
Update the nodejs library and its related packages to version 22.22.2-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 1/13/2026
Reference Information
CVE: CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466, CVE-2026-21637, CVE-2026-21710, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21716, CVE-2026-21717