[ALSA-2026:35891] Important: nodejs:24 security, bug fix, and enhancement update
Type:
security
Severity:
important
Release date:
2026-07-07
Description:
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338) * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151) * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678) * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733) * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525) * undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697) * undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734) * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619) * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930) * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935) * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933) * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934) * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928) * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615) * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618) Bug Fix(es) and Enhancement(s): * nodejs:24/nodejs: Rebase to the latest Node.js 24 release [almalinux-9.8.z] (JIRA:AlmaLinux-186580) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture Package Checksum
aarch64 v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el9.8.0+277+61fc613e.aarch64.rpm 3037dd82cc6e6af4067cbd077520ca990545179c6ad2508c8be8748ef04dfaec
aarch64 nodejs-libs-24.18.0-1.module_el9.8.0+277+61fc613e.aarch64.rpm 45f0893540f16028cb63459dabbb335e8fcac106cea6b781c66ff6184156539a
aarch64 nodejs-24.18.0-1.module_el9.8.0+277+61fc613e.aarch64.rpm 8942ed1da69aeab742c13cf015c09d13a5d72596eae4dda8e2f222c06f9ea1e1
aarch64 nodejs-full-i18n-24.18.0-1.module_el9.8.0+277+61fc613e.aarch64.rpm ed4bdefa86fe0989ed7abf166b3401ba355246b3f9f59857d459e91b5956908a
aarch64 nodejs-devel-24.18.0-1.module_el9.8.0+277+61fc613e.aarch64.rpm f312e52e5d129e75e373a97f65fc5169a85d83a75f6ef6526db2fbdc8d0d812f
noarch nodejs-nodemon-3.0.3-3.module_el9.7.0+209+ecf6523e.noarch.rpm 6688ca82e36c7f78fe80655131c4a7fad6d4c7b9c851130cb6202a27b946c979
noarch nodejs-packaging-bundler-2021.06-6.module_el9.7.0+209+ecf6523e.noarch.rpm 704a51a642368ad73aefcbfa86b6b81f61c5541bc314bfdc63475e674964be6a
noarch npm-11.16.0-1.24.18.0.1.module_el9.8.0+277+61fc613e.noarch.rpm ace4b9e51c9ab9bcaf5f6ba5ecf44f9f7d86c93508085ffb7326fffc3b897cc1
noarch nodejs-docs-24.18.0-1.module_el9.8.0+277+61fc613e.noarch.rpm c5a5530de75944a2fbe70c1c64475e26c1bbac2be3d1ad947e0dcd8681aa70d5
noarch nodejs-packaging-2021.06-6.module_el9.7.0+209+ecf6523e.noarch.rpm e12d6593295b63bbaffb1d59469018386e8cf5428b60b3671861a3b9e68d1fc4
ppc64le nodejs-libs-24.18.0-1.module_el9.8.0+277+61fc613e.ppc64le.rpm 34e9b979970e35284e546d4520292ecb832ac84185d06ae297a5d25a40c2f227
ppc64le nodejs-24.18.0-1.module_el9.8.0+277+61fc613e.ppc64le.rpm 4dac59ed250b2d41a6351375e4d27d52a3292f569ca42d2fb2774859f1ce811d
ppc64le nodejs-full-i18n-24.18.0-1.module_el9.8.0+277+61fc613e.ppc64le.rpm 691c3c6e2be0a4141788335a9e0dbee151238b9d1adef44f2268e787a7892ec1
ppc64le v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el9.8.0+277+61fc613e.ppc64le.rpm 89f426983f3f5891e90829c4615f4f107cb6d05403d5d47344f1470b06bf4d89
ppc64le nodejs-devel-24.18.0-1.module_el9.8.0+277+61fc613e.ppc64le.rpm af7dd7d52575cffe4323d4f8ae6ce873b338c7602dbd6d29f47602983227f039
s390x nodejs-24.18.0-1.module_el9.8.0+277+61fc613e.s390x.rpm 294b2a7a0c2a63f2ee824c8889eaa7f1414ec1acb66fdf9352dd79fe9034fb01
s390x nodejs-full-i18n-24.18.0-1.module_el9.8.0+277+61fc613e.s390x.rpm 9b6d5c97ab3c71d3d81b15c030233797d560bb7995028c1779e7eebc62b7e1a9
s390x nodejs-libs-24.18.0-1.module_el9.8.0+277+61fc613e.s390x.rpm b7dbce8d4df2e9cb4971bf66c246dcb0f256679003b415a58d677867e679a20a
s390x nodejs-devel-24.18.0-1.module_el9.8.0+277+61fc613e.s390x.rpm c056ae7c85da0fd5b4af05199a445a8dc092d69c3052a7f1c96287a448ad5cb4
s390x v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el9.8.0+277+61fc613e.s390x.rpm db904747efaf5050529898818fd404ab7d641fc5c33693895325bcbce7047f64
x86_64 nodejs-devel-24.18.0-1.module_el9.8.0+277+61fc613e.x86_64.rpm 1d19a13bb45469fc60cceee42d3dce8ffe73d7bd7583c68395467a46dfd76a92
x86_64 nodejs-libs-24.18.0-1.module_el9.8.0+277+61fc613e.x86_64.rpm 2203bfbd6b1620b46b138f89a147ba10e559a305467a583fbf39ed533f486dd0
x86_64 nodejs-24.18.0-1.module_el9.8.0+277+61fc613e.x86_64.rpm 382ea6f2540746d1529e70c14d948bfd4d4d11bedbff4c6611a0582f5cb5da86
x86_64 nodejs-full-i18n-24.18.0-1.module_el9.8.0+277+61fc613e.x86_64.rpm ade1f52b937844add774a59a8b0cbb7a8fca4fcc2b43d84ed2abf93a633c1038
x86_64 v8-13.6-devel-13.6.233.17-1.24.18.0.1.module_el9.8.0+277+61fc613e.x86_64.rpm bb817030a485ab91213b39287c2122f672cb361947ed8e5b627d3ebc1c6ca5ff
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.