rpm package
almalinux/v8-12.4-devel
pkg:rpm/almalinux/v8-12.4-devel
Vulnerabilities (22)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21710 | Hig | 7.5 | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 30, 2026 | A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c | |
| CVE-2026-27135 | Hig | 7.5 | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 18, 2026 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap | |
| CVE-2026-2229 | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d | ||
| CVE-2026-1528 | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version | ||
| CVE-2026-1526 | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en | ||
| CVE-2026-1525 | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Mar 12, 2026 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * | ||
| CVE-2026-27904 | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh | ||
| CVE-2026-26996 | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-25547 | Cri | — | < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f | Feb 4, 2026 | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume | |
| CVE-2025-55131 | Hig | 7.1 | < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | Jan 20, 2026 | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar | |
| CVE-2025-59466 | — | < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | Jan 20, 2026 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica | ||
| CVE-2025-55132 | — | < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | Jan 20, 2026 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can | ||
| CVE-2025-55130 | — | < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | Jan 20, 2026 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and | ||
| CVE-2026-21637 | — | < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | Jan 20, 2026 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca | ||
| CVE-2025-59465 | — | < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b | Jan 20, 2026 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects | ||
| CVE-2025-6965 | Cri | 9.8 | < 3:12.4.254.21-1.22.16.0.2.module_el8.10.0+4028+97ddca84 | 3:12.4.254.21-1.22.16.0.2.module_el8.10.0+4028+97ddca84 | Jul 15, 2025 | There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. | |
| CVE-2025-23166 | Hig | 7.5 | < 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78 | 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78 | May 19, 2025 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall | |
| CVE-2025-3277 | — | < 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756 | 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756 | Apr 14, 2025 | An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of | ||
| CVE-2025-31498 | Hig | — | < 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756 | 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756 | Apr 8, 2025 | c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri | |
| CVE-2025-23085 | Med | 5.3 | < 3:12.4.254.21-1.22.13.1.1.module_el8.10.0+3961+6a788e57 | 3:12.4.254.21-1.22.13.1.1.module_el8.10.0+3961+6a788e57 | Feb 7, 2025 | A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc |
- affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c
- affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap
- CVE-2026-2229Mar 12, 2026affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d
- CVE-2026-1528Mar 12, 2026affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version
- CVE-2026-1526Mar 12, 2026affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en
- CVE-2026-1525Mar 12, 2026affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *
- CVE-2026-27904Feb 26, 2026affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
- CVE-2026-26996Feb 20, 2026affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume
- affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar
- CVE-2025-59466Jan 20, 2026affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica
- CVE-2025-55132Jan 20, 2026affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can
- CVE-2025-55130Jan 20, 2026affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and
- CVE-2026-21637Jan 20, 2026affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca
- CVE-2025-59465Jan 20, 2026affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects
- affected < 3:12.4.254.21-1.22.16.0.2.module_el8.10.0+4028+97ddca84fixed 3:12.4.254.21-1.22.16.0.2.module_el8.10.0+4028+97ddca84
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
- affected < 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78fixed 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
- CVE-2025-3277Apr 14, 2025affected < 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756fixed 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756
An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of
- affected < 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756fixed 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri
- affected < 3:12.4.254.21-1.22.13.1.1.module_el8.10.0+3961+6a788e57fixed 3:12.4.254.21-1.22.13.1.1.module_el8.10.0+3961+6a788e57
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc
Page 1 of 2