ALSA-2026:7896

[ALSA-2026:7896] Important: nodejs:20 security update

Type:

security

Severity:

important

Release date:

2026-04-15

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.   

Security Fix(es):  

  * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
  * minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
  * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
  * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	nodejs-20.20.2-1.module_el9.7.0+226+88d36870.aarch64.rpm	02725c3d050d1a1dd2e67684933708e59bf96029baa56045e1640aed51e6e079
aarch64	nodejs-devel-20.20.2-1.module_el9.7.0+224+0af7cc6b.aarch64.rpm	64938c99ad0f9cca47ae6b1fafdd2361d52ff3d3b51239a6b7ebb20b72353762
aarch64	nodejs-full-i18n-20.20.2-1.module_el9.7.0+224+0af7cc6b.aarch64.rpm	d685cf022d2a4fded62f97984d6b6c8ad6fc9c55482bf66463d0db97fee21d76
aarch64	npm-10.8.2-1.20.20.2.1.module_el9.7.0+224+0af7cc6b.aarch64.rpm	fd00e07e0d546de78796faf109bb2ddeaf45fb4d1bcd5a7e2d745d459823966c
noarch	nodejs-docs-20.20.2-1.module_el9.7.0+224+0af7cc6b.noarch.rpm	314f155c9da69d62425f24a2d2fac67bcaa649b9c23fc6cb01870e3ba1d9f489
noarch	nodejs-nodemon-3.0.1-1.module_el9.5.0+125+8dc38870.noarch.rpm	572b82ee164b85ffef41f974897332716b428e341e262a4ccdd71a9c87312648
noarch	nodejs-packaging-2021.06-6.module_el9.7.0+226+88d36870.noarch.rpm	9ffbd61248997549fd001f5063043eb12602b6f2d1536abbf1f7e32520b402e7
noarch	nodejs-packaging-bundler-2021.06-6.module_el9.7.0+226+88d36870.noarch.rpm	c18bda74e3d85c8b2f96722b89e8b886d82685c1b71bf3d3c7a308d400dbd165
ppc64le	npm-10.8.2-1.20.20.2.1.module_el9.7.0+224+0af7cc6b.ppc64le.rpm	16de78ebcaacd4aaf5a9196b5c0f481c5aaebeb42178df8582b4441ce23f4560
ppc64le	nodejs-full-i18n-20.20.2-1.module_el9.7.0+224+0af7cc6b.ppc64le.rpm	4b041a8e263c19ff0477abee57f2344942ce39f05a663e4ad6bb31a56ef3c5f6
ppc64le	nodejs-devel-20.20.2-1.module_el9.7.0+226+88d36870.ppc64le.rpm	6b11f557768391f1b6ac3a74e89eb1abdc72c26171fb81a0e95efb419e4ce1fc
ppc64le	nodejs-20.20.2-1.module_el9.7.0+226+88d36870.ppc64le.rpm	c198a5dd7cd395a4fd21ddef5b4a6feafa5931573b97b72191ab658c00bf2e4b
s390x	npm-10.8.2-1.20.20.2.1.module_el9.7.0+226+88d36870.s390x.rpm	668080c617f8a3c1dd46624252e80d01bbca90689d82f0bac0abe8377ed6c366
s390x	nodejs-devel-20.20.2-1.module_el9.7.0+224+0af7cc6b.s390x.rpm	b8fb668f900167be84487f1316848f99bf9d19176a9768e4e32acbcd33e7e1d1
s390x	nodejs-20.20.2-1.module_el9.7.0+226+88d36870.s390x.rpm	e7cc723a8bea7cf5881f03243c396e28d1e2aeb0a51c15682a06949bc959365b
s390x	nodejs-full-i18n-20.20.2-1.module_el9.7.0+224+0af7cc6b.s390x.rpm	ebb0d78fd50cdb77b0416ea36c32931a6b616fc89312417cd2817e231394732c
x86_64	nodejs-20.20.2-1.module_el9.7.0+226+88d36870.x86_64.rpm	7a2981df1ec20b281c2dbfbfe47dc7c5c00413f8c09e3c4ef27eb23c792244a1
x86_64	nodejs-devel-20.20.2-1.module_el9.7.0+224+0af7cc6b.x86_64.rpm	912cff9d77723f2d0bd2b694d23d437aa967b63b00ab153897f226637f2a1683
x86_64	nodejs-full-i18n-20.20.2-1.module_el9.7.0+226+88d36870.x86_64.rpm	d86dea013496928b974f0247602a78bf001f13732f2804f180ec6c602a62bc0a
x86_64	npm-10.8.2-1.20.20.2.1.module_el9.7.0+224+0af7cc6b.x86_64.rpm	e50d810663cff5b3a1d767525214888d1e474eb848c4aee88d2988015d59a2ea

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.