[ALSA-2026:35892] Important: nodejs:22 security, bug fix, and enhancement update
Type:
security
Severity:
important
Release date:
2026-07-07
Description:
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338) * undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151) * undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678) * undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733) * undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525) * nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619) * nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930) * nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935) * nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933) * nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934) * Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928) * nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615) * nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618) Bug Fix(es) and Enhancement(s): * nodejs:22/nodejs: Rebase to the latest Node.js 22 release [almalinux-9.8.z] (JIRA:AlmaLinux-186622) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture Package Checksum
noarch nodejs-packaging-2021.06-6.module_el9.7.0+227+12323393.noarch.rpm 69a2494a423d429b8f38a95646b0b58eac35f29de728da6f9b31d29d0a12c210
noarch nodejs-nodemon-3.0.1-1.module_el9.7.0+208+fb06c0ab.noarch.rpm b32744158c91e29f4466c2e744a254de07ebfd0471383b6a1a5b556d3529fc33
noarch nodejs-docs-22.23.1-1.module_el9.8.0+276+8b329b47.noarch.rpm c6286fb14b457a558bdc65b14bf9f8056ffd2913dcde7a930fd306cf581bdf8a
noarch nodejs-packaging-bundler-2021.06-6.module_el9.7.0+227+12323393.noarch.rpm ff48fa44ce4299dfc604486df6289fe1f7c720e5ffb57aa31f7e35342c057042
ppc64le nodejs-devel-22.23.1-1.module_el9.8.0+276+8b329b47.ppc64le.rpm 345c2d5e263b22d38a968de663ace3a39a99258eedfa7e2358169e3c1060f9d4
ppc64le nodejs-libs-22.23.1-1.module_el9.8.0+276+8b329b47.ppc64le.rpm 6b7c5330dad8284de69e97ca6c0fa1be649ede1382f36d15e07d85e038f3d86e
ppc64le nodejs-full-i18n-22.23.1-1.module_el9.8.0+276+8b329b47.ppc64le.rpm 9c9725a274508778f91641ef28f898d7b31d496cdce0d8be4b084c9aff28d032
ppc64le nodejs-22.23.1-1.module_el9.8.0+276+8b329b47.ppc64le.rpm a8628bb394ba4de96a314559f5c4a057ba55ca9d92d187c3792452a6254ee4a2
s390x nodejs-devel-22.23.1-1.module_el9.8.0+276+8b329b47.s390x.rpm 15935f8899eca97d431cc2f715b9be8b6366cfe3f2a872944c59b3f5773394fa
s390x nodejs-22.23.1-1.module_el9.8.0+276+8b329b47.s390x.rpm 197af16ef8edd7377c4813aeded1f53c8052296333bc33012f7d69677e4ca391
s390x nodejs-full-i18n-22.23.1-1.module_el9.8.0+276+8b329b47.s390x.rpm 41f8e5ac84c9bba6f87886cb66d63e38045e8de6ce645adf43458441996abb0e
s390x v8-12.4-devel-12.4.254.21-1.22.23.1.1.module_el9.8.0+276+8b329b47.s390x.rpm 4a31b3c3df5ef502a9eccb7f4115d82d5526087902444d4ee39b11094a8027aa
s390x nodejs-libs-22.23.1-1.module_el9.8.0+276+8b329b47.s390x.rpm 8ba5fc8cbce2611e04dc48b78da8b31a63596703e7306e89269b37999872564c
s390x npm-10.9.8-1.22.23.1.1.module_el9.8.0+276+8b329b47.s390x.rpm e24e64b00b18e2c81c1535788a760b9ba6275904747d6a532be00f5416c1b4f4
x86_64 nodejs-full-i18n-22.23.1-1.module_el9.8.0+276+8b329b47.x86_64.rpm 0826d4d394471548f6fd50fc5241ee70a23bd870dee7c3289d3988cfc308aa6e
x86_64 nodejs-devel-22.23.1-1.module_el9.8.0+276+8b329b47.x86_64.rpm 651359f67f9b0e2ce1241e82d499ed927e9bd50830f47e820def150336006c57
x86_64 nodejs-libs-22.23.1-1.module_el9.8.0+276+8b329b47.x86_64.rpm 67d283c70851990e09324128deb0c64fea0cdb8bcc1c73fff5eab0f1ced628b9
x86_64 v8-12.4-devel-12.4.254.21-1.22.23.1.1.module_el9.8.0+276+8b329b47.x86_64.rpm 6de0c4b18aa633d4ed734fd0d28e79fee9fb4788910ecfd2728762f3451b64a6
x86_64 nodejs-22.23.1-1.module_el9.8.0+276+8b329b47.x86_64.rpm ad83ddc300ce082fddf6ed99213840c9455f8246449a709392d81b75920e4cdd
x86_64 npm-10.9.8-1.22.23.1.1.module_el9.8.0+276+8b329b47.x86_64.rpm bee0dca4c165ad6b660f128d5c96dc2e7f116f3665f662df4d15c8d2906c57be
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.