Detections
Analytics

Node.js 20.x < 20.20.0 / 22.x < 22.22.0 / 24.x < 24.13.0 / 25.x < 25.3.0 / 25.x < 25.3.0 Multiple Vulnerabilities (Tuesday, January 13, 2026 Security Releases).

high Nessus Plugin ID 282656

Language:

Synopsis

Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.

Description

The version of Node.js installed on the remote host is prior to 20.20.0, 22.22.0, 24.13.0, 25.3.0, 25.3.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, January 13, 2026 Security Releases advisory.

 - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: server.on('secureConnection', socket => { socket.on('error', err => { console.log(err); }); }); JavaScriptCopy to clipboard Impact: Thank you, to dantt for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-59465)

 - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. Impact: Thank you, to Nikita Skovoroda for reporting and fixing this vulnerability. (CVE-2025-55131)

 - A flaw in Node.js's Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. Impact: Thank you, to natann for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-55130)

 - We have identified a bug in Node.js error handling where Maximum call stack size exceeded errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. Impact: Thank you, to Andrew MacPherson (AndrewMohawk) for identifying & aaron_vercel for reporting this vulnerability and thank you mcollina for fixing it.
 (CVE-2025-59466)

 - A memory leak in Node.js's OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificate(true), each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. Impact: Thank you, to giant_anteater for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2025-59464)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 20.20.0 / 22.22.0 / 24.13.0 / 25.3.0 / 25.3.0 or later.

See Also

http://www.nessus.org/u?a8cc39ad

Plugin Details

Severity: High

ID: 282656

File Name: nodejs_2026_jan_13.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 1/13/2026

Updated: 1/13/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-59465

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: installed_sw/Node.js

Exploit Ease: No known exploits are available

Patch Publication Date: 1/13/2026

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59464, CVE-2025-59465, CVE-2025-59466, CVE-2026-21636, CVE-2026-21637