[ALSA-2026:39868] Important: nodejs:24 security, bug fix, and enhancement update
Type:
security
Severity:
important
Release date:
2026-07-16
Description:
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338) * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151) * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678) * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733) * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525) * undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697) * undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734) * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619) * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930) * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935) * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933) * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934) * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928) * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615) * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618) Bug Fix(es) and Enhancement(s): * nodejs:24/nodejs: Rebase to the latest Node.js 24 release [almalinux-8] (JIRA:AlmaLinux-168744) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture Package Checksum
aarch64 nodejs-24.18.0-1.module_el8.10.0+4228+2938bc94.aarch64.rpm 2e1e6d37d1619a44e7c9f2805f90c7acd0a2480b015a3b9b84638d678af5c50e
aarch64 v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el8.10.0+4228+2938bc94.aarch64.rpm 3e1698b63c4d350226a9b5bcbfaea8c9bd033a2957b0dff67828bd3c4765fc78
aarch64 nodejs-libs-24.18.0-1.module_el8.10.0+4228+2938bc94.aarch64.rpm 5a6ed8620f427cef45aa2db92744f4cd840795d8e5c891b24be401f5b0b843d4
aarch64 nodejs-full-i18n-24.18.0-1.module_el8.10.0+4228+2938bc94.aarch64.rpm c0e14ce5b6ba025c8373a181a5d42cb5d6de972b65b9e977b29418f04c52ff88
aarch64 nodejs-devel-24.18.0-1.module_el8.10.0+4228+2938bc94.aarch64.rpm c2c9284a8fe9e05735b5f2874137a6e14d822f6c2243e1f8d80344f9a4415ac4
noarch nodejs-packaging-2021.06-6.module_el8.10.0+4086+70facd4a.noarch.rpm 318c493f93f2190506361306b5759e5e65eee18e3a8d85b195c800d8b7064bc0
noarch npm-11.16.0-1.24.18.0.1.module_el8.10.0+4228+2938bc94.noarch.rpm 8622fde48003921573a31d0b6e33f98c4d6584ca5bbdc8fd71c17f8426a535e7
noarch nodejs-nodemon-3.0.3-1.module_el8.10.0+4061+f8ceeab9.noarch.rpm 9a38ec0d35f9d0671cb0343c1270c1a85bf1b2250b40fe3facedbd919eee2b91
noarch nodejs-docs-24.18.0-1.module_el8.10.0+4228+2938bc94.noarch.rpm b6dd8086b81ee8aac9c2dbc943a9fce9b5f68f5802471fbc5bd5ecdc39cd7446
noarch nodejs-packaging-bundler-2021.06-6.module_el8.10.0+4086+70facd4a.noarch.rpm f4b4a25dc07327deb51619715aae6bd35d22e29ccfc97141c0b61de3a1995eee
ppc64le v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el8.10.0+4228+2938bc94.ppc64le.rpm 447827bdf34435797774a7a675a1cd36a26ec1a6aa0eeedac048350290828ae5
ppc64le nodejs-libs-24.18.0-1.module_el8.10.0+4228+2938bc94.ppc64le.rpm 48524720049d99411a141d2a4ce95bffd4cdcaf13799d22b74af8c73f4fa744f
ppc64le nodejs-24.18.0-1.module_el8.10.0+4228+2938bc94.ppc64le.rpm 5e215cf554f4293e1bd4b2ceaecb9026efb476cd2c5922269c9896575f1c5576
ppc64le nodejs-full-i18n-24.18.0-1.module_el8.10.0+4228+2938bc94.ppc64le.rpm 9ccf6d6c9bf28e1c4ede131fcd5811e2e5a2319760d20cfb2829ec7b73427081
ppc64le nodejs-devel-24.18.0-1.module_el8.10.0+4228+2938bc94.ppc64le.rpm af423a6af48b83c724cd6dcefeca39ee12585dbc31729fad981c6dc68285d026
s390x nodejs-devel-24.18.0-1.module_el8.10.0+4228+2938bc94.s390x.rpm 0f779737e7618766deda2d92aa2a2808f08d7c1818e0c0546d2b094426cd8973
s390x nodejs-full-i18n-24.18.0-1.module_el8.10.0+4228+2938bc94.s390x.rpm 3e68cb36e286d7d48dde8603d064f018cf6a14bc9bee3e334cd9aab3b7dd6ff8
s390x nodejs-libs-24.18.0-1.module_el8.10.0+4228+2938bc94.s390x.rpm 900dbd67e78d3251c2f2c13aa141fb199cdd9a5cbe837fb9fb842830a93e239e
s390x v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el8.10.0+4228+2938bc94.s390x.rpm def3a802aa5d6c0f95aaa5141af9db4c125dc8e2f67fb68bd5a9ee1ea6ac2209
s390x nodejs-24.18.0-1.module_el8.10.0+4228+2938bc94.s390x.rpm e6c1fa3d82f5a9347befbe0a0106a966126cfd0a828b752a3b91ca83bebd9910
x86_64 nodejs-24.18.0-1.module_el8.10.0+4228+2938bc94.x86_64.rpm 32411d30ee279908c0f300e403b469e5dc3f8b029ba27e611e16c7dbac4ca37c
x86_64 v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el8.10.0+4228+2938bc94.x86_64.rpm 373a1c194d51df7c4666be8af94d686d3c2f2106aa4a99f584398a822975a9d7
x86_64 nodejs-full-i18n-24.18.0-1.module_el8.10.0+4228+2938bc94.x86_64.rpm 4aa9659a527002ef1efa3667b2fc4d82e33d8fbb45755f8a2201c0c40d95109c
x86_64 nodejs-devel-24.18.0-1.module_el8.10.0+4228+2938bc94.x86_64.rpm 8279a94546499ab1a4deb7f2f2769d9eb80c679bd93faea09cdde4ebd94e4978
x86_64 nodejs-libs-24.18.0-1.module_el8.10.0+4228+2938bc94.x86_64.rpm a21887f1e422efd9456ec86b1183a95eca0c357a96b06765ef93c962c2b09a2a
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.