{"id":"OESA-2022-1769","summary":"nodejs security update","details":"Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\r\n\r\nSecurity Fix(es):\r\n\r\nVersions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.(CVE-2020-15095)\n\nThis affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require( y18n )(); y18n.setLocale( proto ); y18n.updateLocale({polluted: true}); console.log(polluted); // true(CVE-2020-7774)\n\nThis affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.(CVE-2020-7754)\n\nThis affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.(CVE-2020-7788)\n\njson-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ( Prototype Pollution )(CVE-2021-3918)","modified":"2025-09-03T06:17:00.129134Z","published":"2022-07-22T11:04:01Z","upstream":["CVE-2020-15095","CVE-2020-7754","CVE-2020-7774","CVE-2020-7788","CVE-2021-3918"],"database_specific":{"severity":"Critical"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1769"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15095"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7774"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7754"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7788"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3918"}],"affected":[{"package":{"name":"nodejs","ecosystem":"openEuler:20.03-LTS-SP1","purl":"pkg:rpm/openEuler/nodejs&distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.22.11-1.oe1"}]}],"ecosystem_specific":{"noarch":["nodejs-docs-12.22.11-1.oe1.noarch.rpm"],"x86_64":["nodejs-12.22.11-1.oe1.x86_64.rpm","nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm","nodejs-devel-12.22.11-1.oe1.x86_64.rpm","nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm","npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm","nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm","nodejs-libs-12.22.11-1.oe1.x86_64.rpm"],"src":["nodejs-12.22.11-1.oe1.src.rpm"],"aarch64":["npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm","nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm","nodejs-12.22.11-1.oe1.aarch64.rpm","nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm","nodejs-libs-12.22.11-1.oe1.aarch64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm","nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm","nodejs-devel-12.22.11-1.oe1.aarch64.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2022-1769.json"}},{"package":{"name":"nodejs","ecosystem":"openEuler:20.03-LTS-SP3","purl":"pkg:rpm/openEuler/nodejs&distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.22.11-1.oe1"}]}],"ecosystem_specific":{"noarch":["nodejs-docs-12.22.11-1.oe1.noarch.rpm"],"x86_64":["nodejs-libs-12.22.11-1.oe1.x86_64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.x86_64.rpm","nodejs-12.22.11-1.oe1.x86_64.rpm","nodejs-debugsource-12.22.11-1.oe1.x86_64.rpm","nodejs-devel-12.22.11-1.oe1.x86_64.rpm","npm-6.14.16-1.12.22.11.1.oe1.x86_64.rpm","nodejs-full-i18n-12.22.11-1.oe1.x86_64.rpm","nodejs-debuginfo-12.22.11-1.oe1.x86_64.rpm"],"src":["nodejs-12.22.11-1.oe1.src.rpm"],"aarch64":["nodejs-devel-12.22.11-1.oe1.aarch64.rpm","nodejs-debugsource-12.22.11-1.oe1.aarch64.rpm","v8-devel-7.8.279.23-1.12.22.11.1.oe1.aarch64.rpm","npm-6.14.16-1.12.22.11.1.oe1.aarch64.rpm","nodejs-12.22.11-1.oe1.aarch64.rpm","nodejs-debuginfo-12.22.11-1.oe1.aarch64.rpm","nodejs-full-i18n-12.22.11-1.oe1.aarch64.rpm","nodejs-libs-12.22.11-1.oe1.aarch64.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2022-1769.json"}}],"schema_version":"1.7.3"}