Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Important: nodejs:24 security update
RLSA-2026:7350
Summary
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Nodejs denial of service (CVE-2026-21637)
* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (...
What to do
- Update nodejs-nodemon to version 0:3.0.3-3.module+el9.7.0+40025+0e0cf6b2.
- Update nodejs-packaging to version 0:2021.06-6.module+el9.7.0+40052+e32ea525.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nodejs-nodemon | <= 0:3.0.3-3.module+el9.7.0+40025+0e0cf6b2 | 0:3.0.3-3.module+el9.7.0+40025+0e0cf6b2 |
| – | nodejs-packaging | <= 0:2021.06-6.module+el9.7.0+40052+e32ea525 | 0:2021.06-6.module+el9.7.0+40052+e32ea525 |
Original title
Important: nodejs:24 security update
Original description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Nodejs denial of service (CVE-2026-21637)
* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
* undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
* undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
* Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)
* Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)
* nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
* Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
* Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
* Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
* nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* nodejs: Nodejs denial of service (CVE-2026-21637)
* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
* undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
* undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
* Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)
* Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)
* nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
* Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
* Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
* Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
* nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
7.5
- https://errata.rockylinux.org/RLSA-2026:7350 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2431340 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2436942 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2441268 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2447140 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2447141 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2447142 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2447143 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2447144 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2447145 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2448754 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453037 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453151 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453152 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453157 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453158 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453160 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453161 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453162 Third Party Advisory
Published: 10 Apr 2026 · Updated: 10 Apr 2026 · First seen: 10 Apr 2026