[ALSA-2026:35841] Important: nodejs24 security, bug fix, and enhancement update
Type:
security
Severity:
important
Release date:
2026-07-06
Description:
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338) * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151) * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678) * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733) * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525) * undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697) * undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734) * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619) * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930) * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935) * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933) * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934) * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928) * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615) * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618) Bug Fix(es) and Enhancement(s): * nodejs24: Rebase to the latest Node.js 24 release [almalinux-10.2.z] (JIRA:AlmaLinux-186582) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture Package Checksum
aarch64 nodejs24-full-i18n-24.18.0-1.el10_2.aarch64.rpm 17893ae76be6864e04edff7ab4db13d75055bc1cbc4bc00c3b11c10263a98c02
aarch64 nodejs24-libs-24.18.0-1.el10_2.aarch64.rpm 3a22d86941f8b3726797aac86b6ee4a60094e1408cc25743a350237a38866b41
aarch64 nodejs24-24.18.0-1.el10_2.aarch64.rpm 98937aac705ff5b14dd3522c370aaedf22651eed7f8df3545b11ef6332d163e4
aarch64 nodejs24-devel-24.18.0-1.el10_2.aarch64.rpm e4ded7bdbcd76be7f868c90aa5ae440d3e25af195432deef2d63cfc843c1d822
noarch nodejs24-npm-11.16.0-1.24.18.0.1.el10_2.noarch.rpm b26d8267ca66276f7e691e6ae46d36fc0beaccc3064246c73bf7e97f5437ff7d
noarch nodejs24-docs-24.18.0-1.el10_2.noarch.rpm cfbfb133600350bcd79f384de1fe77fa2508bf7bbac0e804b4b4b5991450e772
ppc64le nodejs24-devel-24.18.0-1.el10_2.ppc64le.rpm 0ac21b7fad611caffa616ca9ff62df28e786fba844f1119524f4c29a34c12ba0
ppc64le nodejs24-libs-24.18.0-1.el10_2.ppc64le.rpm 18befeabf183e5a34c983de950ea1d55dfe0bbe320b875d7f8a422bd2a68cff6
ppc64le nodejs24-24.18.0-1.el10_2.ppc64le.rpm 8e336a110440dd0ee77be340abdc360376c866b95ac54ef808bdc9ea58647d3b
ppc64le nodejs24-full-i18n-24.18.0-1.el10_2.ppc64le.rpm d94427b6768a30fdaa8016890f373881393226c861ed65bc485fa50768983b3a
s390x nodejs24-libs-24.18.0-1.el10_2.s390x.rpm 109ef77a85154fcdacea34123a30652b9f1cf4ab44e6337fddcfc76936f60f98
s390x nodejs24-24.18.0-1.el10_2.s390x.rpm 2b0c8e403925d25398af1da95e70e0f77b2df78e7cc73408affada43c706e470
s390x nodejs24-devel-24.18.0-1.el10_2.s390x.rpm b0a6a435bf710a324c8d5dee53d9899519292232dce2953ae9fa12198c1c8368
s390x nodejs24-full-i18n-24.18.0-1.el10_2.s390x.rpm d3534cf2ae4d78d14a8ff828aeb519b24e27939870a71b6336ba94f01d5fc586
x86_64 nodejs24-devel-24.18.0-1.el10_2.x86_64.rpm 20b60b9c9bc65122a251254e79d07f7b834c293538ea00ec0e53a648cddead4b
x86_64 nodejs24-full-i18n-24.18.0-1.el10_2.x86_64.rpm 4d8fde974b7b0107371082f4a599e75e6c9b13a81bb248477c496644690dba68
x86_64 nodejs24-libs-24.18.0-1.el10_2.x86_64.rpm ab3cefa94eac2b0bd7fb31c94c645b6e35445bb3809bf3f830816b0046e3f3ca
x86_64 nodejs24-24.18.0-1.el10_2.x86_64.rpm f13137f62792250e07a08e6234ace4ac759be94cfeb542f322d2140ca71ca392
x86_64_v2 nodejs24-full-i18n-24.18.0-1.el10_2.x86_64_v2.rpm 08d248d0366424283a36c4d41caefb0a267fcbfc2c15e2e0cb53c1dbe3b195de
x86_64_v2 nodejs24-devel-24.18.0-1.el10_2.x86_64_v2.rpm 4629aa154c61579c81590af2e2091e4dcf8f5d7b2fe171df3beb7bca754115f9
x86_64_v2 nodejs24-libs-24.18.0-1.el10_2.x86_64_v2.rpm 5c6dd1f3184bb3e275340ac4d3cd0c84f017b53e8419498b184591fe9e3a6775
x86_64_v2 nodejs24-24.18.0-1.el10_2.x86_64_v2.rpm 7e96823ac209b3a25a6476f7c93577215ad982f94e1e086b7cdfffcbd92029a6
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.