Multiple vulnerabilities in Node.js, including CVE-2025-55130 (CVSS 9.1 CRITICAL), could lead to denial of service, information disclosure, or bypass of file restrictions. Affected versions include Node.js 20.0.0 through 20.19.x, 22.0.0 through 22.21.x, 24.0.0 through 24.12.x, and 25.0.0 through 25.2.x. The Debian advisory recommends upgrading the nodejs package to version 20.19.2+dfsg-1+deb13u1 for the stable distribution.
[SECURITY] [DSA 6166-1] nodejs security update To : debian-security-announce@lists.debian.org Subject : [SECURITY] [DSA 6166-1] nodejs security update From : Moritz Muehlenhoff < jmm@debian.org > Date : Tue, 17 Mar 2026 19:56:02 +0000 Message-id : < [🔎] abmx0ppgCRXnUnkB@seger.debian.org > Reply-to : debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6166-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 17, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nodejs CVE ID : CVE-2025-23085 CVE-2025-55130 CVE-2025-55131 CVE-2025-55132 CVE-2025-59465 CVE-2025-59466 CVE-2026-21637 Multiple vulnerabilities were discovered in Node.js, which could result in denial of service or information disclosure or bypass of file restrictions. For the stable distribution (trixie), these problems have been fixed in version 20.19.2+dfsg-1+deb13u1. We recommend that you upgrade your nodejs packages. For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmm5sHkACgkQEMKTtsN8 TjbEFxAAs1KUgw/cnvq5V1+eFn0KLb448wlbJRjfS6ljAtMStcBCSIxEz7ANrAyg cIJE2D2K/QEOSa+9NTflm22mXaXtbOFc4dvSmwpZYOx3PQG1CJGCytR3+HeV8Xgu 40SRSfW5r02ZEqn39lbmKgrZ+3why7P/9eEZK//Qh4TUPQGriB1miGOeJBtyge/n jVY/6gh5CPYdrIXPHolo3hVWF8FKy6WNYjeZjlpWhYZXJ5pb6x+6qwChCJ9bB4EF Wrh91GIoK3uF0GHqghv9IBvOQyzi2fbArTA51J5nK//KlF5SGagaSnjkVcrj3Uau WFoQBlyQBNAfg/0ZCdcwiQdRhDwYCK6eYHSXgg6pnz0tm2PEISvP5m9cPR+fSGic EeyKd6KbqEDFN4OQ2CEPt9pqgMwOMTyisaYyZPVCxlhtF7PEnZmbY8DFKIUZi5qS wV4hOSohhbyY6T05QnATjYnHhqU9Plyf7KDQfLnj6SmWGE1FNoPjwMAE10rj1hgX PctEnoQTVUKPGi90uwVxglmsvlHIAMADqfOW/kjzOVnFLS0AN/ceTlsGh+vjvs2/ TkaPVK5pFt/mtRXVZJW65tMnyYzRUhWYUOUjbH2WjCBNyZ2/4M+r/YLETfS0KzYf cMCkVet+fNjDwPkHGAHoiEx7/vYzRw9jagA2DjIXtMfMUleBSKs= =uWdC -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6165-1] chromium security update Next by Date: [SECURITY] [DSA 6167-1] gst-plugins-base1.0 security update Previous by thread: [SECURITY] [DSA 6165-1] chromium security update Next by thread: [SECURITY] [DSA 6167-1] gst-plugins-base1.0 security update Index(es): Date Thread