Detections
Analytics

Node.js 20.x < 20.20.0 / 22.x < 22.22.0 / 24.x < 24.13.0 / 24.x < 24.13.0 / 25.x < 25.3.0 Multiple Vulnerabilities (Tuesday, January 13, 2026 Security Releases).

medium Nessus Plugin ID 282656

Language:

Synopsis

Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.

Description

The version of Node.js installed on the remote host is prior to 20.20.0, 22.22.0, 24.13.0, 24.13.0, 25.3.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, January 13, 2026 Security Releases advisory.

 - A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs (CVE-2025-55132)

 - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. Impact: Thank you, to Nikita Skovoroda for reporting and fixing this vulnerability. (CVE-2025-55131)

 - A flaw in Node.js's Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. Impact: Thank you, to natann for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-55130)

 - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: server.on('secureConnection', socket => { socket.on('error', err => { console.log(err); }); }); JavaScriptCopy to clipboard Impact: Thank you, to dantt for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-59465)

 - We have identified a bug in Node.js error handling where Maximum call stack size exceeded errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. This patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, besteffort behavior and is not a reliable basis for availability or security. In availabilitycritical paths where recursion depth may be influenced by untrusted input, prefer input validation and designs that bound or avoid recursion rather than depending on stack space exhaustion behavior or the lack of tailcall optimizations in the runtime/engine. See this blog post for details. Impact: Thank you, to Andrew MacPherson (AndrewMohawk) for identifying & aaron_vercel for reporting this vulnerability and thank you mcollina for fixing it.
 (CVE-2025-59466)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 20.20.0 / 22.22.0 / 24.13.0 / 24.13.0 / 25.3.0 or later.

See Also

http://www.nessus.org/u?a8cc39ad

Plugin Details

Severity: Medium

ID: 282656

File Name: nodejs_2026_jan_13.nasl

Version: 1.5

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/13/2026

Updated: 2/17/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-21636

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: installed_sw/Node.js

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/13/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59464, CVE-2025-59465, CVE-2025-59466, CVE-2026-21636, CVE-2026-21637

IAVB: 2026-B-0013