[Wolfi Package Update]: nodejs-24 & nodejs-25 vulnerability DB list - incorrect FixedVersion - missing dash #78608
Description
Package name
nodejs-24,nodejs-25
Current version in Wolfi
24.13.0r0,25.3.0r0
Requested version
24.13.0-r0,25.3.0-r0
Upstream project URL
https://nodejs.org/en/blog/release/v24.13.0
Problem
Our project uses chainguard/wolfi-base@sha256:17ab0709456ce1a2aedd85e95f72e58d73133bb70c33ae945a4d4b2424e984f1
Our trivy scan pipeline reported a vulnerability for nodejs, but we already patched to the fixed version as you can see in the following report:
myregistry.myhost.io/myproject/my_project_image:20260203-12345678 (wolfi 20230201)
==============================================================================================
Total: 7 (HIGH: 6, CRITICAL: 1)
┌───────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ nodejs-24 │ CVE-2026-21636 │ CRITICAL │ fixed │ 24.13.0-r0 │ 24.13.0r0 │ nodejs: Nodejs network segmentation bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-21636 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────┤
│ │ CVE-2025-55130 │ HIGH │ │ │ │ nodejs: Nodejs file permissions bypass │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-55130 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────┤
│ │ CVE-2025-55131 │ │ │ │ │ nodejs: Nodejs uninitialized memory exposure │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-55131 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────┤
│ │ CVE-2025-59464 │ │ │ │ │ nodejs: Nodejs memory leak │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-59464 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────┤
│ │ CVE-2025-59465 │ │ │ │ │ nodejs: Nodejs denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-59465 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────┤
│ │ CVE-2025-59466 │ │ │ │ │ nodejs: Nodejs denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-59466 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────┤
│ │ CVE-2026-21637 │ │ │ │ │ nodejs: Nodejs denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-21637 │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘
The only difference is the typo on the fixed version, which has a missing dash - character: 24.13.0r0 versus the actual version 24.13.0-r0
I downloaded the latest trivy DB:
trivy image --download-db-only --cache-dir .And notice that the fixed version of nodejs from Wolfi is 24.13.0r0
But from Alpine it is 24.13.0-r0
Accessing the Wolfi security database at https://packages.wolfi.dev/os/security.json confirms this:
Actually also affects to other versions according to this advisory:
https://images.chainguard.dev/security/CVE-2026-21636#/
Thank you
Steps to reproduce
No response
Root cause (if known)
No response
Proposed solution
Change the FixedVersion in the vulnerability list to add a dash - character.
Testing performed
No response
Acceptance criteria
- The requested version is the latest stable upstream release (no pre-releases or RCs)
- The upstream project uses an OSI-approved license
- The change aligns with Wolfi’s packaging and security model
- The package can be reasonably maintained over time
- There are no known unresolved security or supply-chain concerns