Alpine: nodejs: security update to 22.22.2-r0

medium Tenable Self-Hosted Container Security Plugin ID 439191

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write`
restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted
access only to the current directory can escape the allowed path and read sensitive files. This breaks the
expected isolation guarantees and enables arbitrary file read/write, leading to potential system
compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
(CVE-2025-55130)

- A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are
interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers
allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data
from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data
corruption. While exploitation typically requires precise timing or in-process code execution, it can
become remotely exploitable when untrusted input influences workload and timeouts, leading to potential
confidentiality and integrity impact. (CVE-2025-55131)

- A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via
`futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply
the expected write-permission checks, which means file metadata can be modified in read-only directories.
This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of
logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
(CVE-2025-55132)

- A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by
triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the
process crashes, enabling a remote denial of service. This primarily affects applications that do not
attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket =>
{ socket.on('error', err => { console.log(err) }) }) ``` (CVE-2025-59465)

Solution

Update the nodejs library and its related packages to version 22.22.2-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2025-55130

https://security.alpinelinux.org/vuln/CVE-2025-55131

https://security.alpinelinux.org/vuln/CVE-2025-55132

https://security.alpinelinux.org/vuln/CVE-2025-59465

https://security.alpinelinux.org/vuln/CVE-2025-59466

https://security.alpinelinux.org/vuln/CVE-2026-21637

https://security.alpinelinux.org/vuln/CVE-2026-21710

https://security.alpinelinux.org/vuln/CVE-2026-21713

https://security.alpinelinux.org/vuln/CVE-2026-21714

https://security.alpinelinux.org/vuln/CVE-2026-21715

https://security.alpinelinux.org/vuln/CVE-2026-21716

https://security.alpinelinux.org/vuln/CVE-2026-21717

Plugin Details

Severity: Medium

ID: 439191

Version: Revision 1.7

Type: Local

Published: 3/25/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

Percentile: 96.89

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-55130

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466, CVE-2026-21637, CVE-2026-21710, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21716, CVE-2026-21717