Description
Reports of vulnerabilities in the node.js product occur when issues are discovered. As part of this article, Veritas is tracking node.js vulnerabilities and their impact to the following products:
- Enterprise Vault (EV)
- Compliance Accelerator / Veritas Advanced Supervision (CA/VAS)
- Discovery Accelerator (DA)
- Veritas Information Classifier (VIC)
For CVE-2021-22959 and CFT-2021-22960
OpenJS Foundation has published multiple vulnerabilities and their mitigation steps as part of their announcement (October 12th 2021 Security Releases). As part of this article, we are tracking the following vulnerabilities and their impact on EV.
These issues have been resolved in node.js 16.14.2. Investigation into this release has shown full functionality is present. Note that node.js is only used in DA to display MS Teams content in near native format.
CVE-2021-22959 - node.js features do not protect against HTTP Request Smuggling (HRS) caused by a space in headers.
Severity: Medium
Affected node.js Versions: All versions of the 12.x up to 12.22.7, 14.x up to 14.18.1, and 16.x up to 16.14.2
CVE-2021-22960: node.js features do not protect against HTTP Request Smuggling (HRS) caused by parsing in the body.
Security: Medium
Affected node.js Versions: All versions of the 12.x up to 12.22.7, 14.x up to 14.18.1, and 16.x up to 16.14.2
Impact
Prior to Enterprise Vault 14.2:
Enterprise Vault versions prior to 14.2 do not use node.js and hence are not affected by the above-mentioned vulnerabilities.
Enterprise Vault 14.2:
node.js 14.17.2 was introduced in Discovery Accelerator 14.2 with the intention of displaying Microsoft Teams content in a near native format.
Affected Versions
EV versions: None
CA / VAS versions: None
DA versions: 14.2.0 and greater
VIC versions: None
Mitigation
The Discovery Accelerator prerequisites check states to install Node.js 14.17.3 or Higher. As such, upgrade node.js to version 16.14.2 or higher as needed.
For CVE-2024-28863
GitHub has published a vulnerability in node.js as reported in a security announcement updated on NIST on 2024-05-29. As part of this article, we are providing the following information about this vulnerability to the products noted above.
CVE-2024-28863 - This issue is with the node-tar component for node.js. The vulnerability is with the programmatic capability to create sub-folders in the folder creation process where memory consumption can increase to the point where node.js crashes.
- Severity: Medium
- Affected node.js Versions: All versions prior to 6.2.1.
Impact
EV, CA/VAS and DA have the node.js implementation internal to the EV workflow with no option exposed to programmatically invoke the folder creation process noted in the CVE problem statement.
Affected Versions
EV versions: None
CA/VAS versions: None
DA versions: None
Mitigation
None required.
For CVE-2025-27210
HackerOne has published a vulnerability in node.js as reported in a security announcement.
CVE-2025-27210: An incomplete fix has been identified in Node.js, specifically affecting Windows device names like CON, PRN, and AUX.
This vulnerability affects Windows users of path.join or path API.
Severity - High
Affected node.js version: 20.x, 22.x,24.x
Impact
There is no impact on Enterprise Vault, CA, DA and VIC. However, we recommend to upgrade the Node.js installation to overcome this security prompt.
The Node.js project has released updated fix versions as follow:
Node.js v20.19.4
Node.js v22.17.1
Node.js v24.4.1
Refer: https://nodejs.org/en/blog/vulnerability/july-2025-security-releases
Affected Versions
EV versions: None
CA/VAS versions: None
DA versions: None
Mitigation
None required.
Questions
For questions or problems regarding these vulnerabilities, please contact Veritas Technical Support (https://www.veritas.com/support)
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.