rpm package
almalinux/nodejs-npm
pkg:rpm/almalinux/nodejs-npm
Vulnerabilities (16)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21710 | Hig | 7.5 | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-27135 | Hig | 7.5 | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Mar 18, 2026 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap | |
| CVE-2026-2229 | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Mar 12, 2026 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d | ||
| CVE-2026-1528 | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Mar 12, 2026 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version | ||
| CVE-2026-1526 | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Mar 12, 2026 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en | ||
| CVE-2026-1525 | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Mar 12, 2026 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * | ||
| CVE-2026-27904 | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh | ||
| CVE-2026-26996 | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-25547 | Cri | — | < 1:10.9.7-1.22.22.2.1.el10_1 | 1:10.9.7-1.22.22.2.1.el10_1 | Feb 4, 2026 | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume | |
| CVE-2025-55131 | Hig | 7.1 | < 1:10.9.4-1.22.22.0.3.el10_1 | 1:10.9.4-1.22.22.0.3.el10_1 | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar | |
| CVE-2025-59466 | — | < 1:10.9.4-1.22.22.0.3.el10_1 | 1:10.9.4-1.22.22.0.3.el10_1 | Jan 20, 2026 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica | ||
| CVE-2025-55132 | — | < 1:10.9.4-1.22.22.0.3.el10_1 | 1:10.9.4-1.22.22.0.3.el10_1 | Jan 20, 2026 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can | ||
| CVE-2025-55130 | — | < 1:10.9.4-1.22.22.0.3.el10_1 | 1:10.9.4-1.22.22.0.3.el10_1 | Jan 20, 2026 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and | ||
| CVE-2026-21637 | — | < 1:10.9.4-1.22.22.0.3.el10_1 | 1:10.9.4-1.22.22.0.3.el10_1 | Jan 20, 2026 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca | ||
| CVE-2025-59465 | — | < 1:10.9.4-1.22.22.0.3.el10_1 | 1:10.9.4-1.22.22.0.3.el10_1 | Jan 20, 2026 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects | ||
| CVE-2025-31498 | Hig | — | < 1:10.9.2-1.22.15.0.1.el10_0 | 1:10.9.2-1.22.15.0.1.el10_0 | Apr 8, 2025 | c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri |
- affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap
- CVE-2026-2229Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d
- CVE-2026-1528Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version
- CVE-2026-1526Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en
- CVE-2026-1525Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *
- CVE-2026-27904Feb 26, 2026affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
- CVE-2026-26996Feb 20, 2026affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- affected < 1:10.9.7-1.22.22.2.1.el10_1fixed 1:10.9.7-1.22.22.2.1.el10_1
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume
- affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
- CVE-2025-59466Jan 20, 2026affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica
- CVE-2025-55132Jan 20, 2026affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
- CVE-2025-55130Jan 20, 2026affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
- CVE-2026-21637Jan 20, 2026affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
- CVE-2025-59465Jan 20, 2026affected < 1:10.9.4-1.22.22.0.3.el10_1fixed 1:10.9.4-1.22.22.0.3.el10_1
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
- affected < 1:10.9.2-1.22.15.0.1.el10_0fixed 1:10.9.2-1.22.15.0.1.el10_0
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri