ALSA-2026:8339

[ALSA-2026:8339] Important: nodejs:20 security update

Type:

security

Severity:

important

Release date:

2026-04-16

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   

Security Fix(es):  

  * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
  * minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
  * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
  * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	nodejs-devel-20.20.2-1.module_el8.10.0+4165+3f200bda.aarch64.rpm	2676eede7491523473d8619650b39c36eca9b58135a8d0f11ded00cfd792394c
aarch64	npm-10.8.2-1.20.20.2.1.module_el8.10.0+4165+3f200bda.aarch64.rpm	2e23e76bb477a6631104ddc31cb876b6f9715d0abcb329caefab10d3837993db
aarch64	nodejs-full-i18n-20.20.2-1.module_el8.10.0+4165+3f200bda.aarch64.rpm	ca17c2dd1758fdd4c0ebde9fad9d3460d91bc4f623bb3a53c9a7ca581e184eb0
aarch64	nodejs-20.20.2-1.module_el8.10.0+4165+3f200bda.aarch64.rpm	f7e43c12508c51cb80de7198fd94d0b79c09c3ed63d0dddec8a2be4ce112ed45
noarch	nodejs-nodemon-3.0.1-1.module_el8.10.0+3982+85c136aa.noarch.rpm	2a3ac075981f56758aac0aa08cc55d71f2ca6610e6bc965f306dd6b9a8db442a
noarch	nodejs-docs-20.20.2-1.module_el8.10.0+4165+3f200bda.noarch.rpm	3d527c12c659faec2445770dae6cb5206b15893414a79392e8eec91d050eb42b
noarch	nodejs-packaging-bundler-2021.06-6.module_el8.10.0+4165+3f200bda.noarch.rpm	6224e1814548e23ea087ce03ada89f7fb585bf019b36c21aa60fa1ef29b06cfa
noarch	nodejs-packaging-2021.06-6.module_el8.10.0+4165+3f200bda.noarch.rpm	86514cfa3b98d8f30755b096872edda109ebe9a1daf1a5658ee580b4f6330d60
ppc64le	npm-10.8.2-1.20.20.2.1.module_el8.10.0+4165+3f200bda.ppc64le.rpm	5ddc986a2754e388733cc5bda1ba204bcd4a64d65f12b988be662b7e6d6b6a85
ppc64le	nodejs-20.20.2-1.module_el8.10.0+4165+3f200bda.ppc64le.rpm	6c8b42a82caa4bb1551751090f389d335a0a32711ec7dbac8f60d1b329343aaa
ppc64le	nodejs-devel-20.20.2-1.module_el8.10.0+4165+3f200bda.ppc64le.rpm	7dc2bb23802d7745e33db2f40c0b94f7f40cba4e5cdcdc22a42e5cd6c53b8642
ppc64le	nodejs-full-i18n-20.20.2-1.module_el8.10.0+4165+3f200bda.ppc64le.rpm	c265351772ff1fbd0fe04bd9e50d89a2cc9f6dd2a9f054583b23a81404317b11
s390x	nodejs-20.20.2-1.module_el8.10.0+4165+3f200bda.s390x.rpm	23969c081786c2b87f421f198c7fba40882942d91afc45c4c2ff039f1283e84e
s390x	npm-10.8.2-1.20.20.2.1.module_el8.10.0+4165+3f200bda.s390x.rpm	5812a65dc645d2018b77a2dd735c9c9d061dfbd31e7df2b68fad6fc67026cd67
s390x	nodejs-devel-20.20.2-1.module_el8.10.0+4165+3f200bda.s390x.rpm	a0942a2804cb13a8cf2cd4d6e203ee0f6c449d61863e7aad665eadb7e8f38364
s390x	nodejs-full-i18n-20.20.2-1.module_el8.10.0+4165+3f200bda.s390x.rpm	b8505eed162033a762fb586869e9e638772edf86eb117db4d7a455c74168f971
x86_64	npm-10.8.2-1.20.20.2.1.module_el8.10.0+4165+3f200bda.x86_64.rpm	57d393d5ed45c14901fa7aee97eb0d90f716b525054c59197d5ec8c410040aed
x86_64	nodejs-devel-20.20.2-1.module_el8.10.0+4165+3f200bda.x86_64.rpm	74a57e7b60da156cf2b7ddf377fef466751fdde961489c5d64a702b719de64a6
x86_64	nodejs-20.20.2-1.module_el8.10.0+4165+3f200bda.x86_64.rpm	b6696a3e9d1961cb9d7e1c3db46d2dbbbaf7d95988912b85f8c81d79a84c8458
x86_64	nodejs-full-i18n-20.20.2-1.module_el8.10.0+4165+3f200bda.x86_64.rpm	f863f54c3adedcd24156cd2994663d5570c3e83d18bdb8f8496a41d5f49d0e83

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.