Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others)

[Michel Lind <michel () michel-slm name>]

On Tue, 2026-01-13 at 20:44 -0500, Jan Schaumann wrote:
> Alan Coopersmith <alan.coopersmith () oracle com> wrote:
>
> > The node.js team has also published a much more in-depth discussion
> > at:
> > https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks
>
> Thanks for that - this link would have been useful for
> the NodeJS team to share on their nodejs-sec mailing
> list.
>
> > with a shorter intro in the thread starting at:
> > https://x.com/matteocollina/status/2011137343323865196
>
> Here's a link that doesn't require an account on, uhm,
> _that_ platform:
>
> https://nitter.net/matteocollina/status/2011137343323865196#m
>
> -Jan
Do we know if older releases are available?

The analysis seems to be ... inconsistent on this

* The NodeJS blog post does not mention old releases
* The Hacker News indicates versions from 8.x and up are all affected
https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html
* SUSE thinks versions 20 and below are not affected
https://www.suse.com/security/cve/CVE-2025-59466.html
* I can't find a RHEL security advisory yet, but el9/c9s ships NodeJS
16 as a normal 'ursine' RPM and maintained versions are only shipped as
modular RPMs in streams (thankfully EL10 does away with modularity)

RHEL/CentOS's nodejs 16 does seem to get CVE fixes backported in 2024,
after that branch has gone EOL -
https://gitlab.com/redhat/centos-stream/rpms/nodejs/-/commits/c9s?ref_type=heads

Best regards,


-- 
 _o) Michel Lind
_( ) https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
     README:    https://fedoraproject.org/wiki/User:Salimma#README

Attachment: signature.asc
Description: This is a digitally signed message part