Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Node.js update fixes four security weaknesses that could crash servers
RLSA-2026:7896
Summary
This update addresses four security issues that could allow attackers to crash a server or make it slow down. This could happen if an attacker sends a specially crafted message to a Node.js application. To protect your system, update your Node.js installation to the latest version as soon as possible.
What to do
- Update nodejs-nodemon to version 0:3.0.1-1.module+el9.7.0+40017+f0db1785.
- Update nodejs-nodemon to version 0:3.0.1-1.module+el9.7.0+40022+9ecc286c.
- Update nodejs-nodemon to version 0:3.0.1-1.module+el9.7.0+40018+a011993d.
- Update nodejs-packaging to version 0:2021.06-6.module+el9.7.0+40052+e32ea525.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nodejs-nodemon | <= 0:3.0.1-1.module+el9.7.0+40017+f0db1785 | 0:3.0.1-1.module+el9.7.0+40017+f0db1785 |
| – | nodejs-nodemon | <= 0:3.0.1-1.module+el9.7.0+40022+9ecc286c | 0:3.0.1-1.module+el9.7.0+40022+9ecc286c |
| – | nodejs-nodemon | <= 0:3.0.1-1.module+el9.7.0+40018+a011993d | 0:3.0.1-1.module+el9.7.0+40018+a011993d |
| – | nodejs-packaging | <= 0:2021.06-6.module+el9.7.0+40052+e32ea525 | 0:2021.06-6.module+el9.7.0+40052+e32ea525 |
Original title
Important: nodejs:20 security update
Original description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
7.5
- https://errata.rockylinux.org/RLSA-2026:7896 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2441268 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2442922 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2448754 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453151 Third Party Advisory
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026