Vulnerability Scan Report for registry.suse.com/bci/nodejs:20-31.11
Node.js 20 development container based on the SLE Base Container Image.
registry.suse.com/bci/nodejs:20-31.11
Last scanned on: June 25, 2025 18:00
Node.js 20 development container based on the SLE Base Container Image.
Last scanned on: June 25, 2025 18:00
| Package Name | Severity | Status | Description | Reference links | |
|---|---|---|---|---|---|
| nodejs20 | HIGH | fixed |
Security update for nodejs20 Vulnerability ID: SUSE-SU-2025:0237-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.18.2-150600.3.9.1 This update for nodejs20 fixes the following issues: Update to 20.18.2: - CVE-2025-23083: Fixed worker permission bypass via InternalWorker leak in diagnostics (bsc#1236251) - CVE-2025-23085: Fixed HTTP2 memory leak on premature close and ERR_PROTO (bsc#1236250) - CVE-2025-22150: Fixed insufficiently random values used when defining the boundary for a multipart/form-data request in undici (bsc#1236258) |
||
| nodejs20 | MEDIUM | fixed |
Security update for nodejs20 Vulnerability ID: SUSE-SU-2024:4286-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.18.1-150600.3.6.1 This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856) Other fixes: - Updated to 20.18.1: * Experimental Network Inspection Support in Node.js * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext * New option for vm.createContext() to create a context with a freezable globalThis * buffer: optimize createFromString - Changes in 20.17.0: * module: support require()ing synchronous ESM graphs * path: add matchesGlob method * stream: expose DuplexPair API - Changes in 20.16.0: * process: add process.getBuiltinModule(id) * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth * buffer: add .bytes() method to Blob |
||
| npm20 | HIGH | fixed |
Security update for nodejs20 Vulnerability ID: SUSE-SU-2025:02045-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.19.2-150600.3.12.1 This update for nodejs20 fixes the following issues: Update to 20.19.2: - CVE-2025-23166: improper error handling in async cryptographic operations crashes process (bsc#1243218). - CVE-2025-23167: improper HTTP header block termination in llhttp (bsc#1243220). - CVE-2025-23165: add missing call to uv_fs_req_cleanup (bsc#1243217). Other bugfixes: - Build with PIE (bsc#1239949) |
||
| npm20 | HIGH | fixed |
Security update for nodejs20 Vulnerability ID: SUSE-SU-2025:0237-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.18.2-150600.3.9.1 This update for nodejs20 fixes the following issues: Update to 20.18.2: - CVE-2025-23083: Fixed worker permission bypass via InternalWorker leak in diagnostics (bsc#1236251) - CVE-2025-23085: Fixed HTTP2 memory leak on premature close and ERR_PROTO (bsc#1236250) - CVE-2025-22150: Fixed insufficiently random values used when defining the boundary for a multipart/form-data request in undici (bsc#1236258) |
||
| npm20 | MEDIUM | fixed |
Security update for nodejs20 Vulnerability ID: SUSE-SU-2024:4286-1 Installed Version: 20.15.1-150600.3.3.2 Fixed Version: 20.18.1-150600.3.6.1 This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856) Other fixes: - Updated to 20.18.1: * Experimental Network Inspection Support in Node.js * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext * New option for vm.createContext() to create a context with a freezable globalThis * buffer: optimize createFromString - Changes in 20.17.0: * module: support require()ing synchronous ESM graphs * path: add matchesGlob method * stream: expose DuplexPair API - Changes in 20.16.0: * process: add process.getBuiltinModule(id) * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth * buffer: add .bytes() method to Blob |
||