rpm package
almalinux/npm
pkg:rpm/almalinux/npm
Vulnerabilities (111)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21717 | Med | 5.9 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo | |
| CVE-2026-21716 | Low | 3.3 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under ` | |
| CVE-2026-21715 | Low | 3.3 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs | |
| CVE-2026-21714 | Med | 5.3 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned | |
| CVE-2026-21713 | Med | 5.9 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl | |
| CVE-2026-21711 | Med | 5.3 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can | |
| CVE-2026-21710 | Hig | 7.5 | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-21712 | Med | 5.7 | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 30, 2026 | A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. | |
| CVE-2026-27135 | Hig | 7.5 | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 18, 2026 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap | |
| CVE-2026-2229 | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d | ||
| CVE-2026-1528 | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version | ||
| CVE-2026-1527 | — | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 12, 2026 | ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem | ||
| CVE-2026-2581 | — | < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1 | Mar 12, 2026 | This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler | ||
| CVE-2026-1526 | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en | ||
| CVE-2026-1525 | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * | ||
| CVE-2026-27904 | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh | ||
| CVE-2026-26996 | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-25547 | Cri | — | < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Feb 4, 2026 | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume | |
| CVE-2025-55131 | Hig | 7.1 | < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2 | 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2 | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar | |
| CVE-2025-59466 | — | < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2 | 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2 | Jan 20, 2026 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica |
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade perfo
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possibl
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can
- affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
- affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap
- CVE-2026-2229Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d
- CVE-2026-1528Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version
- CVE-2026-1527Mar 12, 2026affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem
- CVE-2026-2581Mar 12, 2026affected < 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1fixed 1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler
- CVE-2026-1526Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en
- CVE-2026-1525Mar 12, 2026affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *
- CVE-2026-27904Feb 26, 2026affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
- CVE-2026-26996Feb 20, 2026affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- affected < 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume
- affected < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2fixed 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
- CVE-2025-59466Jan 20, 2026affected < 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2fixed 1:11.6.2-1.24.13.0.0.module_el8.10.0+4113+bc863bc2
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica
Page 1 of 6