SUSE SLES15 Security Update : nodejs22 (SUSE-SU-2026:2647-1)

high Nessus Plugin ID 323244

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2647-1 advisory.

This update for nodejs22 fixes the following issues

Update to 22.23.0:

- CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery (bsc#1268479).
- CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS (bsc#1266318).
- CVE-2026-9679: undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding (bsc#1268477).
- CVE-2026-11525: undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set- Cookie header (bsc#1268481).
- CVE-2026-12151: undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482).
- CVE-2026-27135: nghttp2: assertion failure due to missing state validation can lead to DoS (bsc#1259853).
- CVE-2026-40170: ngtcp2: qlog parameters_set stack buffer overflow (bsc#1262274).
- CVE-2026-42338: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (bsc#1268097).
- CVE-2026-48615: Proxy credentials leaked in ERR_PROXY_TUNNEL error message (bsc#1268598).
- CVE-2026-48617: permission model enforcement bypass via `process.report.writeReport()` path misvalidation (bsc#1268554).
- CVE-2026-48618: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch (bsc#1268593).
- CVE-2026-48619: Unbounded memory growth in node:http2 clients via attacker-controlled ORIGIN frames (bsc#1268618).
- CVE-2026-48928: Uppercase sni context matching can lead to mtls authorization bypass due to case- sensitive hostname matching (bsc#1268605).
- CVE-2026-48930: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (bsc#1268606).
- CVE-2026-48931: HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (bsc#1268611).
- CVE-2026-48933: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (bsc#1268592).
- CVE-2026-48934: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (bsc#1268608).
- CVE-2026-48935: Permission Model bypass via FileHandle.utimes() in the promises API (bsc#1268609).
- CVE-2026-48937: servers keep accepting data even after sending a `GOAWAY` frame (bsc#1268555).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs22, nodejs22-devel, nodejs22-docs and / or npm22 packages.

Plugin Details

Severity: High

ID: 323244

File Name: suse_SU-2026-2647-1.nasl

Version: 1.1

Type: Local

Agent: unix

Family: SuSE Local Security Checks

Published: 6/27/2026

Updated: 6/27/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48930

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-9496

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:nodejs22-docs, p-cpe:/a:novell:suse_linux:nodejs22, p-cpe:/a:novell:suse_linux:nodejs22-devel, p-cpe:/a:novell:suse_linux:npm22, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-11525, CVE-2026-12151, CVE-2026-27135, CVE-2026-40170, CVE-2026-42338, CVE-2026-48615, CVE-2026-48617, CVE-2026-48618, CVE-2026-48619, CVE-2026-48928, CVE-2026-48930, CVE-2026-48931, CVE-2026-48933, CVE-2026-48934, CVE-2026-48935, CVE-2026-48937, CVE-2026-6733, CVE-2026-9496, CVE-2026-9679

SuSE: SUSE-SU-2026:2647-1

Detections

Analytics