NewStart CGSL MAIN 6.06 : nodejs Multiple Vulnerabilities (NS-SA-2025-0241)

critical Nessus Plugin ID 297073

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.06, has nodejs packages installed that are affected by multiple vulnerabilities:

- The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. (CVE-2023-32002)

- Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
(CVE-2021-44906)

- Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. (CVE-2019-9511)

- Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
(CVE-2019-9512)

- Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.
The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. (CVE-2019-9513)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL nodejs packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

Plugin Details

Severity: Critical

ID: 297073

File Name: newstart_cgsl_NS-SA-2025-0241_nodejs.nasl

Version: 1.2

Type: local

Family: NewStart CGSL Local Security Checks

Published: 1/28/2026

Updated: 1/29/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-44906

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-32002

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:nodejs, cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:nodejs-libs

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/29/2026

Vulnerability Publication Date: 8/9/2019

Reference Information

CVE: CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, CVE-2020-15095, CVE-2021-22918, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-22959, CVE-2021-22960, CVE-2021-27290, CVE-2021-3807, CVE-2021-3918, CVE-2021-43616, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2021-44906, CVE-2022-21824, CVE-2022-25881, CVE-2022-29244, CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-35255, CVE-2022-35256, CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807, CVE-2023-30581, CVE-2023-30588, CVE-2023-30589, CVE-2023-30590, CVE-2023-31124, CVE-2023-32002, CVE-2023-32006, CVE-2023-32559, CVE-2024-22019, CVE-2024-22025, CVE-2024-25629, CVE-2024-27982, CVE-2024-27983, CVE-2024-28182, CVE-2024-28863

Detections

Analytics