[ALSA-2026:35842] Important: nodejs22 security, bug fix, and enhancement update
Type:
security
Severity:
important
Release date:
2026-07-06
Description:
Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices. Security Fix(es): * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338) * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151) * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678) * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733) * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525) * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619) * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930) * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935) * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933) * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934) * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928) * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615) * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618) Bug Fix(es) and Enhancement(s): * nodejs22: Rebase to the latest Node.js 22 release [almalinux-10.2.z] (JIRA:AlmaLinux-186623) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture Package Checksum
aarch64 nodejs-libs-22.23.1-2.el10_2.aarch64.rpm 1418cc3cc68c6067ae09576c28cb298e01b2233e7258948be27149fe28bdd177
aarch64 nodejs-npm-10.9.8-1.22.23.1.2.el10_2.aarch64.rpm 15782ae93a16390f7f109632bf1df72aef35dea574b63c8ab168a8f3bc01054b
aarch64 nodejs-22.23.1-2.el10_2.aarch64.rpm 3f1bc61157a0e6fcd8f68c15172db625a2d8bc297a517ab5a32db95bd428957d
aarch64 nodejs-devel-22.23.1-2.el10_2.aarch64.rpm 5f58c12bf37334084db2993e52f16929554ff4bca8d935cef475c2186a42628e
aarch64 nodejs-full-i18n-22.23.1-2.el10_2.aarch64.rpm ec8c46568d7b97abd421e98dbf44e8decd12c4d62fbca422117418340a5b0551
noarch nodejs-docs-22.23.1-2.el10_2.noarch.rpm 492a598f325fdb1de667b1cf3eb563ff290a931816399634238410c6852efc36
ppc64le nodejs-libs-22.23.1-2.el10_2.ppc64le.rpm 33830c529c3de948c610b0a8ab1f22bbb0171f133893569db00930d1dc6a7eeb
ppc64le nodejs-22.23.1-2.el10_2.ppc64le.rpm bd83fa5c020dab1f67525a46ccf6902a4f21661644555c8707c506eccb4d96d0
ppc64le nodejs-full-i18n-22.23.1-2.el10_2.ppc64le.rpm d0cf68d2cab7f19b011081c7a5de3f5bde84221302c4e5edd1f5547b46e9cb1f
ppc64le nodejs-devel-22.23.1-2.el10_2.ppc64le.rpm d77321971f773f31e115bf80626206f60eb6cb96a298efe61d560ad971692e72
ppc64le nodejs-npm-10.9.8-1.22.23.1.2.el10_2.ppc64le.rpm f5a0e02a4e40522333398d39f2eaefa51769682c1484b5b7971948eeacc0c761
s390x nodejs-devel-22.23.1-2.el10_2.s390x.rpm 2c4353d6eae917b51331f8b41f9198bf026e6629394934d484300a2a0f6076c7
s390x nodejs-full-i18n-22.23.1-2.el10_2.s390x.rpm 2f4bd8ace9de98e097f10332136736396cd9989c55f92d6af3511541daf88325
s390x nodejs-libs-22.23.1-2.el10_2.s390x.rpm 4c97d22c21f93e987cea0e99735be544a95fa79354a5ce24896e86b69a8cc122
s390x nodejs-npm-10.9.8-1.22.23.1.2.el10_2.s390x.rpm 9408d6bb53dd2bbcdc8dfe45b235a81b42d27b24ef70b35e1539c5a82b4e2bd9
s390x nodejs-22.23.1-2.el10_2.s390x.rpm e20840ebc353064d0e1bde6ac89403eebd431118e764760646b772f41ee48c61
x86_64 nodejs-libs-22.23.1-2.el10_2.x86_64.rpm 0a10beefb725c901aa74a9d6aec85fb68dc70955363031af0c5e315091f9f568
x86_64 nodejs-devel-22.23.1-2.el10_2.x86_64.rpm 3ca1e0c4404efc9c06130c4d240ec04a2c5d363702c3f4bc510d731b42207210
x86_64 nodejs-npm-10.9.8-1.22.23.1.2.el10_2.x86_64.rpm a8979b7c3c488fbc0879cb3fb2ffae985519edddd89ea6c47e8a4a9b9f2c5ee4
x86_64 nodejs-22.23.1-2.el10_2.x86_64.rpm ca9c67ba787a0c21554f14ce1caadba3ba320749a3244ece4e030ce44bcf04f2
x86_64 nodejs-full-i18n-22.23.1-2.el10_2.x86_64.rpm f0ff87688d04a00f27926acf38f20a7ea32ba6833cac25228764c7dc6f2f69af
x86_64_v2 nodejs-devel-22.23.1-2.el10_2.x86_64_v2.rpm 612cd6c9de0b97daf6e49e5372da7a52ed473bd9109ee63064897b9627add65d
x86_64_v2 nodejs-22.23.1-2.el10_2.x86_64_v2.rpm 8e165c811ea33e096da8c3e3681905445bb32774c0222dc236bb5cff1e9c376c
x86_64_v2 nodejs-full-i18n-22.23.1-2.el10_2.x86_64_v2.rpm 92e75bd8afb8e88921484104c1f1e97e5b75cf24eef8fa2b73b572d1e223a973
x86_64_v2 nodejs-libs-22.23.1-2.el10_2.x86_64_v2.rpm d9cb56c263742f90529ac451a9a4ed79d6194c2ba1a40d971250e797f4dab54b
x86_64_v2 nodejs-npm-10.9.8-1.22.23.1.2.el10_2.x86_64_v2.rpm f170bb98fccc6befd780dd7a8003d9457ed0fd7dc187f5ee35a38b6c0c9761e8
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.