ALSA-2026:7123

[ALSA-2026:7123] Important: nodejs:22 security update

Type:

security

Severity:

important

Release date:

2026-04-15

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   

Security Fix(es):  

  * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
  * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
  * minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
  * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
  * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
  * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
  * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
  * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
  * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	nodejs-full-i18n-22.22.2-1.module_el8.10.0+4158+e796f37f.aarch64.rpm	97df10804a91309dd814489ddf3d329b50510e683a255bb56182e09cff702bee
aarch64	nodejs-22.22.2-1.module_el8.10.0+4158+e796f37f.aarch64.rpm	9d82df2d7714afbb18cc5db8b5b0da658ac59908116f4dd7e22850d12f8110c4
aarch64	nodejs-devel-22.22.2-1.module_el8.10.0+4158+e796f37f.aarch64.rpm	bd69f1b776f114f6a7093e9432c092cc7814dfb7b6adec025484f1815133d24b
aarch64	v8-12.4-devel-12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f.aarch64.rpm	e6c9a02349f3558d5c39bce8def894afd89b75b2406f17d1e00667ce6c8575ea
aarch64	npm-10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f.aarch64.rpm	f0674659f26b45c040952112bea8d6b895ab4037b3caf90ff3513f9f9c2615d4
aarch64	nodejs-libs-22.22.2-1.module_el8.10.0+4158+e796f37f.aarch64.rpm	f260c76928b3c1518a1d7d4914c953090ea69e51bfa6bfd7f8583e9a8b375e11
noarch	nodejs-nodemon-3.0.1-1.module_el8.10.0+4006+3c416519.noarch.rpm	1b6e11aaa8d9bdb9162feb0d449e70ce58986cd57aeed33595bc13516352a9e6
noarch	nodejs-packaging-bundler-2021.06-6.module_el8.10.0+4158+e796f37f.noarch.rpm	95549e780e9ad76b8e49f9c9db940d99cb8260f37e3d9cf05df2baaf6182e412
noarch	nodejs-packaging-2021.06-6.module_el8.10.0+4158+e796f37f.noarch.rpm	aaede6e40164690ca8a8b2229ad4ad4e0faea8ce4f2d6cfb3358572d8576dace
noarch	nodejs-docs-22.22.2-1.module_el8.10.0+4158+e796f37f.noarch.rpm	f65898b969de2a006de95b87fb381d21ea2334cc79e0dd61848288b98280cc0f
ppc64le	nodejs-devel-22.22.2-1.module_el8.10.0+4158+e796f37f.ppc64le.rpm	037fb20dd27b63d532ad50d2bc0ee686e0f4dee8cb3680e8b4383e1b2df6cdd7
ppc64le	nodejs-22.22.2-1.module_el8.10.0+4158+e796f37f.ppc64le.rpm	0e4cb0cc301f7ba4ff814554a38668cafd680c548837db584e1e18382706d3a4
ppc64le	nodejs-full-i18n-22.22.2-1.module_el8.10.0+4158+e796f37f.ppc64le.rpm	5246d91a1f480652fafbc8192125bcbc26731006cbdb845a7a8e93dd5c087d34
ppc64le	npm-10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f.ppc64le.rpm	817351446a4ec3613cc809dbc670b51a8ca32971dd4f0370bc2aef7a9f9a48fe
ppc64le	v8-12.4-devel-12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f.ppc64le.rpm	e75ac7192b39e4893af5513fc3ba0b5496e21fa25e4b42d88edd4f4feb141b3e
ppc64le	nodejs-libs-22.22.2-1.module_el8.10.0+4158+e796f37f.ppc64le.rpm	fb33d27c070bab5eab179a863b1bf37ff355810b00f2a3eb7b693e1b1a79c606
s390x	nodejs-libs-22.22.2-1.module_el8.10.0+4158+e796f37f.s390x.rpm	0c918724859f0571b948283815ede8bfcfaa7056142d6de7a04e270c0107ec3b
s390x	nodejs-full-i18n-22.22.2-1.module_el8.10.0+4158+e796f37f.s390x.rpm	18b5c5195b909720288eba5d9f8669b97a7c8a714cea18c1276234d053fda196
s390x	nodejs-devel-22.22.2-1.module_el8.10.0+4158+e796f37f.s390x.rpm	1fa3140d373c1a10bef891530d21587e913d73e5a2d78d0bffc32918e72ea302
s390x	v8-12.4-devel-12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f.s390x.rpm	88c6cccd3de1c27a1efc1549ff738a953cce18eeca5091b4221d9e641c73b0f7
s390x	nodejs-22.22.2-1.module_el8.10.0+4158+e796f37f.s390x.rpm	c1a9adef4d0500b8dec3e376816b9b0ee35598463da51352966264c12329403d
s390x	npm-10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f.s390x.rpm	c85998e8618ccf479757d13ab2f4d2df0bbad6e4f8d6c0007dfe0a46d7d278fd
x86_64	npm-10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f.x86_64.rpm	028d5476bae9a31e376e8df41eb1d013d94b3620ac45a5cff35e820a8213f281
x86_64	nodejs-full-i18n-22.22.2-1.module_el8.10.0+4158+e796f37f.x86_64.rpm	31f56d5a272226098e3920cb134c16e10b4829f1ad5a0c3cefaacabb97dda174
x86_64	nodejs-devel-22.22.2-1.module_el8.10.0+4158+e796f37f.x86_64.rpm	3228334b42e90c4cd4967561c38c35a678eddeed54ee9e0c3beb49ae07e8ef82
x86_64	nodejs-libs-22.22.2-1.module_el8.10.0+4158+e796f37f.x86_64.rpm	418dd7ed6950fd34b3d554c094bd70a6ab3649744ce56354f83fe21b8622227d
x86_64	v8-12.4-devel-12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f.x86_64.rpm	4edaab115f1ae66d806ce9aceb6c35a0f46a55c4eac7d19896f5cb70f61479d1
x86_64	nodejs-22.22.2-1.module_el8.10.0+4158+e796f37f.x86_64.rpm	6ebf9ab3b623ebd7e3a0237e5e388f34ed24cb226577f1092a674514ce5f3ee7

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.