ALSA-2026:7675

[ALSA-2026:7675] Important: nodejs24 security update

Type:

security

Severity:

important

Release date:

2026-04-14

Description:

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.  

Security Fix(es):  

  * nodejs: Nodejs denial of service (CVE-2026-21637)
  * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
  * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
  * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
  * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
  * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
  * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
  * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
  * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
  * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
  * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
  * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)
  * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)
  * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
  * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
  * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
  * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
  * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	nodejs24-libs-24.14.1-2.el10_1.aarch64.rpm	314b103e041840a984c873ce37bb313cd9bcf931cc4fb646b4cf9e2a50bf8310
aarch64	nodejs24-24.14.1-2.el10_1.aarch64.rpm	682de41649a8821c2895ebd55f87db5b9158f3adb2cac96acb0774b41516483f
aarch64	nodejs24-devel-24.14.1-2.el10_1.aarch64.rpm	94683bfd7b1012f6d76bbbb939ea9c7725a9c8d0547ac54b4af23e7f12c5c77a
aarch64	nodejs24-full-i18n-24.14.1-2.el10_1.aarch64.rpm	e8cff12220d02a45149fdeed34bc095eaa55d6267a10865853a14cb1551e0bf4
noarch	nodejs24-docs-24.14.1-2.el10_1.noarch.rpm	81e6f775bc8a4c7d7c2ce500cc3f2479d761d469b23d108512ed35641fb29409
noarch	nodejs24-npm-11.11.0-1.24.14.1.2.el10_1.noarch.rpm	e7f19716e6d8dcb0b9daf9491ad6784c0b082ebb17ffcf87d2608e16ee810ebf
ppc64le	nodejs24-24.14.1-2.el10_1.ppc64le.rpm	20eaa9df83640700fd1b93234500c51821ef71ffe88041e06a10c2aa00b6af86
ppc64le	nodejs24-devel-24.14.1-2.el10_1.ppc64le.rpm	cabb527283facfaaa6f295f46d93a8d041f07c1e399ba31cb09a307c9db939ca
ppc64le	nodejs24-full-i18n-24.14.1-2.el10_1.ppc64le.rpm	e6cd638b6cf4787e845b6ce111a2dd50c41e130e0a0fcba798219a35428f7946
ppc64le	nodejs24-libs-24.14.1-2.el10_1.ppc64le.rpm	f79830c7ea42ac376f8fc3b695c423a38f2599071b6d874158b2fc7a071384dc
s390x	nodejs24-libs-24.14.1-2.el10_1.s390x.rpm	051a0eb903a4b157780c28f23e365904383771bde228a8fa84c3c54e6aa9c5b9
s390x	nodejs24-24.14.1-2.el10_1.s390x.rpm	316ac484954c3b726e165e5aae8b599521ea3096c7be852940425d7cbc9169a4
s390x	nodejs24-full-i18n-24.14.1-2.el10_1.s390x.rpm	cac23d8a8f3fe139515f55a2a95ee881c63bd57a51286bf7a9323b009cb490ba
s390x	nodejs24-devel-24.14.1-2.el10_1.s390x.rpm	df517781a9438872b1448c75e5ded057cead74ebd07ca0fff8718c3eec1d62c0
x86_64	nodejs24-libs-24.14.1-2.el10_1.x86_64.rpm	6b6363968cf8bee21ea93794815cf36153bacb34c2e9ac270c351b27cb468009
x86_64	nodejs24-full-i18n-24.14.1-2.el10_1.x86_64.rpm	ae35ad8bbfcfd2c5cff77c3938539a8124699177a4f2ecbe37513af70d1c6a9f
x86_64	nodejs24-devel-24.14.1-2.el10_1.x86_64.rpm	e9b4254770249dd779af13556cfe940891d30dd70a00e3c386259974f34905c0
x86_64	nodejs24-24.14.1-2.el10_1.x86_64.rpm	fcc9ba6a4c7a84f7299467e436881b4033a963dc98ab4f2ff00f7806f0bbbf9c
x86_64_v2	nodejs24-24.14.1-2.el10_1.x86_64_v2.rpm	67e333c5b71685f0d8db68c0a9ae541c5838b01467d42351b695d0d651ca9563
x86_64_v2	nodejs24-devel-24.14.1-2.el10_1.x86_64_v2.rpm	9fec9d56334bd835b0edd8536d83c875cbdf38213acb2d1d4bc2675510e714cf
x86_64_v2	nodejs24-full-i18n-24.14.1-2.el10_1.x86_64_v2.rpm	a6afe300570c35eb5171beb8b6a1fcf690e12ebe0cf38434ccd83466708ecb19
x86_64_v2	nodejs24-libs-24.14.1-2.el10_1.x86_64_v2.rpm	dd887b23f5cfc5022e12fc9347bfda371a830430a3ba6accea0d9e9eb4cdc388

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.