[ALSA-2026:7350] Important: nodejs:24 security update
Type:
security
Severity:
important
Release date:
2026-04-15
Description:
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Nodejs denial of service (CVE-2026-21637) * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547) * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996) * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581) * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527) * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526) * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229) * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525) * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528) * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135) * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712) * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710) * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715) * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716) * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711) * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713) * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714) * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References:
Updated packages listed below:
Architecture Package Checksum
aarch64 nodejs-devel-24.14.1-2.module_el9.7.0+222+ef1c61e1.aarch64.rpm 7d0a963e161a1243979cda4638799b6e734047d7321d9874d055395aa59dc696
aarch64 nodejs-24.14.1-2.module_el9.7.0+222+ef1c61e1.aarch64.rpm 8c4d4af3e8d19afa84a7205a894a361fe63f3bfd1e3c8d19f20f827a9581cdaf
aarch64 nodejs-full-i18n-24.14.1-2.module_el9.7.0+222+ef1c61e1.aarch64.rpm ad630ef67deacfd65bec4046a2a30d50f99ad17c27e0cb37dfff0c73a3d168c2
aarch64 v8-13.6-devel-13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1.aarch64.rpm b08d45d8d6a22d6dcdeba32a1c2e65f5e56b1ab738f1cbc3d78c1b4b7d0b73a8
aarch64 nodejs-libs-24.14.1-2.module_el9.7.0+222+ef1c61e1.aarch64.rpm b1e4bd9e67726178e9b65833c524f26be3ff6f92fa7a0eea4db184e320d403b5
noarch nodejs-docs-24.14.1-2.module_el9.7.0+222+ef1c61e1.noarch.rpm 290f01c220560280e8b6663ba1032bb090c4263df500da7c79062005df793c75
noarch nodejs-nodemon-3.0.3-3.module_el9.7.0+209+ecf6523e.noarch.rpm 6688ca82e36c7f78fe80655131c4a7fad6d4c7b9c851130cb6202a27b946c979
noarch nodejs-packaging-bundler-2021.06-6.module_el9.7.0+198+8bf605ba.noarch.rpm 97b592d61e7cdad2e8509964064ddbff27be4f5aa478b78c4438ac2fd0d42bb1
noarch npm-11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1.noarch.rpm d17496ca3682a8e6122b905a795b96f1a7ffd63f051fb6b5be46e8191f0e03ae
noarch nodejs-packaging-2021.06-6.module_el9.7.0+209+ecf6523e.noarch.rpm e12d6593295b63bbaffb1d59469018386e8cf5428b60b3671861a3b9e68d1fc4
ppc64le nodejs-24.14.1-2.module_el9.7.0+222+ef1c61e1.ppc64le.rpm 0b4f620963a27485f24d6b90d3be0fab4ef2398ea67bf8e9548a5ca5aa528095
ppc64le v8-13.6-devel-13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1.ppc64le.rpm 55460cf6fdfd4815f8112d3faf23f41b7e8dd9da09c430ec959fe2e03f41f73a
ppc64le nodejs-devel-24.14.1-2.module_el9.7.0+222+ef1c61e1.ppc64le.rpm 760a98544f460fad6e9926d21a7ecc08acd9de6dd039b6a31be336418172e904
ppc64le nodejs-full-i18n-24.14.1-2.module_el9.7.0+222+ef1c61e1.ppc64le.rpm 7eeb47c3effb9f89f3a6accbd82859248d433c8d0153f0805e027a1fa11b4aaa
ppc64le nodejs-libs-24.14.1-2.module_el9.7.0+222+ef1c61e1.ppc64le.rpm eb1ac0dd02324be0629c3b96113f88ce28a17a1f35a2e88c5ba8f6a61b0d58c1
s390x nodejs-devel-24.14.1-2.module_el9.7.0+222+ef1c61e1.s390x.rpm 477fe73250d25cc3dc378dd8482094cf7b38a4bcfd94c5d898dfe3e21c6fc4e6
s390x nodejs-libs-24.14.1-2.module_el9.7.0+222+ef1c61e1.s390x.rpm 4a1e966d058662d150f8962e53f56967f32fe00c118b9bcca9735f12f8a80627
s390x v8-13.6-devel-13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1.s390x.rpm 6145d44aaf4217c78ee5dac342e2666424f116c6cb69701e171c91af1d1b406f
s390x nodejs-full-i18n-24.14.1-2.module_el9.7.0+222+ef1c61e1.s390x.rpm 8f4970a84fd1190abfd95c2faf7c8e61b6ed0e2e159abb9dd847cc48de878c81
s390x nodejs-24.14.1-2.module_el9.7.0+222+ef1c61e1.s390x.rpm a81216ec5d47e8c144765cbc41845ebe93bdfbbb85ee54ca65344e0497403be9
x86_64 nodejs-24.14.1-2.module_el9.7.0+222+ef1c61e1.x86_64.rpm 2e285b6e8ea088af7664c0af1f1a59f28fcc542b91b6772c9d00af6ea545707d
x86_64 nodejs-full-i18n-24.14.1-2.module_el9.7.0+222+ef1c61e1.x86_64.rpm 82386383dff29acaba45adb99b823b8265299ec67b4ed0aff93dd37afcdf1256
x86_64 nodejs-libs-24.14.1-2.module_el9.7.0+222+ef1c61e1.x86_64.rpm ab86e7128049213f7f7670cccb12ade65b05a357d1b2ac1c76c7e65e094bca29
x86_64 nodejs-devel-24.14.1-2.module_el9.7.0+222+ef1c61e1.x86_64.rpm b9801417ac798475ef783d05cc6f974b7e1b0c66dbb715799e9de3d1c5feae3b
x86_64 v8-13.6-devel-13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1.x86_64.rpm ba69d6cb4633e04f73df830273165219dcdf954a4608ae093a0610140a0e293a
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.