|
|
Log in / Subscribe / Register

Red Hat alert RHSA-2026:7350-01 (nodejs:24)

An update for the nodejs:24 module is now available for Red Hat Enterprise
Linux 9.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language. 

Security Fix(es):

* nodejs: Nodejs denial of service (CVE-2026-21637)

* brace-expansion: brace-expansion: Denial of Service via unbounded brace
range expansion (CVE-2026-25547)

* minimatch: minimatch: Denial of Service via specially crafted glob patterns
(CVE-2026-26996)

* undici: Undici: Denial of Service due to uncontrolled resource consumption
(CVE-2026-2581)

* undici: Undici: HTTP header injection and request smuggling vulnerability
(CVE-2026-1527)

* undici: undici: Denial of Service via unbounded memory consumption during
WebSocket permessage-deflate decompression (CVE-2026-1526)

* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate
extension parameter (CVE-2026-2229)

* undici: Undici: HTTP Request Smuggling and Denial of Service due to
duplicate Content-Length headers (CVE-2026-1525)

* undici: undici: Denial of Service via crafted WebSocket frame with large
length (CVE-2026-1528)

* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after
session termination (CVE-2026-27135)

* Node.js: Node.js: Denial of Service via malformed Internationalized Domain
Name processing (CVE-2026-21712)

* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header
(CVE-2026-21710)

* Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()`
bypassing filesystem read restrictions (CVE-2026-21715)

* nodejs: Node.js: Permission bypass allows unauthorized modification of file
permissions and ownership via incomplete security fix. (CVE-2026-21716)

* Node.js: Node.js: Unauthorized inter-process communication due to missing
Unix Domain Socket permission checks (CVE-2026-21711)

* Node.js: Node.js: Information disclosure via timing oracle in HMAC
verification (CVE-2026-21713)

* Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2
WINDOW_UPDATE frames (CVE-2026-21714)

* nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due
to predictable hash collisions (CVE-2026-21717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0
International License (https://creativecommons.org/licenses/by/4.0/). If you
distribute this content, or a modified version of it, you must provide
attribution to Red Hat Inc. and provide a link to the original.


Original: https://access.redhat.com/security/data/csaf/v2/advisories/2026/rhsa-2026_7350.json
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds