VYPR

rpm package

almalinux/nodejs-npm

pkg:rpm/almalinux/nodejs-npm

Vulnerabilities (16)

  • CVE-2026-21710HigMar 30, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c

  • CVE-2026-27135HigMar 18, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap

  • CVE-2026-2229Mar 12, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1526Mar 12, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-27904Feb 26, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-26996Feb 20, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-25547CriFeb 4, 2026
    affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1

    @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume

  • CVE-2025-55131HigJan 20, 2026
    affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1

    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar

  • CVE-2025-59466Jan 20, 2026
    affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1

    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica

  • CVE-2025-55132Jan 20, 2026
    affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-55130Jan 20, 2026
    affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

  • CVE-2025-31498HigApr 8, 2025
    affected < 1:10.9.2-1.22.15.0.1.el10_0fixed 1:10.9.2-1.22.15.0.1.el10_0

    c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri