Detections
Analytics

SUSE SLES15 Security Update : nodejs24 (SUSE-SU-2026:2633-1)

high Nessus Plugin ID 323047

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2633-1 advisory.

 This update for nodejs24 fixes the following issues

 Update to 24.17.0:

 - CVE-2026-2581: undici: Undici: Denial of Service due to uncontrolled resource consumption (bsc#1268480).
 - CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery (bsc#1268479).
 - CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS (bsc#1266318).
 - CVE-2026-9678: undici: Undici: Information disclosure due to improper cache-control header parsing (bsc#1268478).
 - CVE-2026-9679: undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding (bsc#1268477).
 - CVE-2026-11525: undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set- Cookie header (bsc#1268481).
 - CVE-2026-12151: undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482).
 - CVE-2026-27135: nghttp2: assertion failure due to missing state validation can lead to DoS (bsc#1259853).
 - CVE-2026-40170: ngtcp2: qlog parameters_set stack buffer overflow (bsc#1262274).
 - CVE-2026-42338: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (bsc#1268097).
 - CVE-2026-48615: Proxy credentials leaked in ERR_PROXY_TUNNEL error message (bsc#1268598).
 - CVE-2026-48617: permission model enforcement bypass via `process.report.writeReport()` path misvalidation (bsc#1268554).
 - CVE-2026-48618: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch (bsc#1268593).
 - CVE-2026-48619: Unbounded memory growth in node:http2 clients via attacker-controlled ORIGIN frames (bsc#1268618).
 - CVE-2026-48928: Uppercase sni context matching can lead to mtls authorization bypass due to case- sensitive hostname matching (bsc#1268605).
 - CVE-2026-48930: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (bsc#1268606).
 - CVE-2026-48931: HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (bsc#1268611).
 - CVE-2026-48933: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (bsc#1268592).
 - CVE-2026-48934: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (bsc#1268608).
 - CVE-2026-48935: Permission Model bypass via FileHandle.utimes() in the promises API (bsc#1268609).
 - CVE-2026-48937: servers keep accepting data even after sending a `GOAWAY` frame (bsc#1268555).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs24, nodejs24-devel, nodejs24-docs and / or npm24 packages.

See Also

https://bugzilla.suse.com/1259853

https://bugzilla.suse.com/1262274

https://bugzilla.suse.com/1266318

https://bugzilla.suse.com/1268097

https://bugzilla.suse.com/1268477

https://bugzilla.suse.com/1268478

https://bugzilla.suse.com/1268479

https://bugzilla.suse.com/1268480

https://bugzilla.suse.com/1268481

https://bugzilla.suse.com/1268482

https://bugzilla.suse.com/1268554

https://bugzilla.suse.com/1268555

https://bugzilla.suse.com/1268592

https://bugzilla.suse.com/1268593

https://bugzilla.suse.com/1268598

https://bugzilla.suse.com/1268605

https://bugzilla.suse.com/1268606

https://bugzilla.suse.com/1268608

https://bugzilla.suse.com/1268609

https://bugzilla.suse.com/1268611

https://bugzilla.suse.com/1268618

https://lists.suse.com/pipermail/sle-updates/2026-June/047635.html

https://www.suse.com/security/cve/CVE-2026-11525

https://www.suse.com/security/cve/CVE-2026-12151

https://www.suse.com/security/cve/CVE-2026-2581

https://www.suse.com/security/cve/CVE-2026-27135

https://www.suse.com/security/cve/CVE-2026-40170

https://www.suse.com/security/cve/CVE-2026-42338

https://www.suse.com/security/cve/CVE-2026-48615

https://www.suse.com/security/cve/CVE-2026-48617

https://www.suse.com/security/cve/CVE-2026-48618

https://www.suse.com/security/cve/CVE-2026-48619

https://www.suse.com/security/cve/CVE-2026-48928

https://www.suse.com/security/cve/CVE-2026-48930

https://www.suse.com/security/cve/CVE-2026-48931

https://www.suse.com/security/cve/CVE-2026-48933

https://www.suse.com/security/cve/CVE-2026-48934

https://www.suse.com/security/cve/CVE-2026-48935

https://www.suse.com/security/cve/CVE-2026-48937

https://www.suse.com/security/cve/CVE-2026-6733

https://www.suse.com/security/cve/CVE-2026-9496

https://www.suse.com/security/cve/CVE-2026-9678

https://www.suse.com/security/cve/CVE-2026-9679

Plugin Details

Severity: High

ID: 323047

File Name: suse_SU-2026-2633-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-42338

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-9496

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:nodejs24-devel, p-cpe:/a:novell:suse_linux:npm24, p-cpe:/a:novell:suse_linux:nodejs24-docs, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:nodejs24

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/25/2026

Vulnerability Publication Date: 3/12/2026

Reference Information

CVE: CVE-2026-11525, CVE-2026-12151, CVE-2026-2581, CVE-2026-27135, CVE-2026-40170, CVE-2026-42338, CVE-2026-48615, CVE-2026-48617, CVE-2026-48618, CVE-2026-48619, CVE-2026-48928, CVE-2026-48930, CVE-2026-48931, CVE-2026-48933, CVE-2026-48934, CVE-2026-48935, CVE-2026-48937, CVE-2026-6733, CVE-2026-9496, CVE-2026-9678, CVE-2026-9679

SuSE: SUSE-SU-2026:2633-1