VYPR

rpm package

almalinux/v8-12.4-devel

pkg:rpm/almalinux/v8-12.4-devel

Vulnerabilities (22)

  • CVE-2026-21710HigMar 30, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, c

  • CVE-2026-27135HigMar 18, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the ap

  • CVE-2026-2229Mar 12, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1526Mar 12, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-27904Feb 26, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-26996Feb 20, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-25547CriFeb 4, 2026
    affected < 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37ffixed 3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f

    @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume

  • CVE-2025-55131HigJan 20, 2026
    affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b

    A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Ar

  • CVE-2025-59466Jan 20, 2026
    affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b

    We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applica

  • CVE-2025-55132Jan 20, 2026
    affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b

    A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can

  • CVE-2025-55130Jan 20, 2026
    affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b

    A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and

  • CVE-2026-21637Jan 20, 2026
    affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b

    A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), ca

  • CVE-2025-59465Jan 20, 2026
    affected < 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44bfixed 3:12.4.254.21-1.22.22.0.1.module_el8.10.0+4112+db1af44b

    A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects

  • CVE-2025-6965CriJul 15, 2025
    affected < 3:12.4.254.21-1.22.16.0.2.module_el8.10.0+4028+97ddca84fixed 3:12.4.254.21-1.22.16.0.2.module_el8.10.0+4028+97ddca84

    There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

  • CVE-2025-23166HigMay 19, 2025
    affected < 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78fixed 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78

    The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall

  • CVE-2025-3277Apr 14, 2025
    affected < 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756fixed 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756

    An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of

  • CVE-2025-31498HigApr 8, 2025
    affected < 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756fixed 3:12.4.254.21-1.22.15.0.1.module_el8.10.0+3986+a908e756

    c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queri

  • CVE-2025-23085MedFeb 7, 2025
    affected < 3:12.4.254.21-1.22.13.1.1.module_el8.10.0+3961+6a788e57fixed 3:12.4.254.21-1.22.13.1.1.module_el8.10.0+3961+6a788e57

    A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to inc

Page 1 of 2