红帽产品勘误 RHSA-2026:7675 - Security Advisory
发布:
2026-04-13
已更新:
2026-04-13

RHSA-2026:7675 - Security Advisory

概述

Important: nodejs24 security update

类型/严重性

Security Advisory: Important

Red Hat Lightspeed patch analysis

识别并修复受此公告影响的系统。

查看受影响的系统

标题

An update for nodejs24 is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

描述

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

  • nodejs: Nodejs denial of service (CVE-2026-21637)
  • brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
  • minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
  • undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
  • undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
  • undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
  • undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
  • undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
  • undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
  • nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
  • Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
  • Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)
  • Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)
  • nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
  • Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
  • Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
  • Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
  • nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

解决方案

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

受影响的产品

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64

修复

  • BZ - 2431340 - CVE-2026-21637 nodejs: Nodejs denial of service
  • BZ - 2436942 - CVE-2026-25547 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion
  • BZ - 2441268 - CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns
  • BZ - 2447140 - CVE-2026-2581 undici: Undici: Denial of Service due to uncontrolled resource consumption
  • BZ - 2447141 - CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability
  • BZ - 2447142 - CVE-2026-1526 undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression
  • BZ - 2447143 - CVE-2026-2229 undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
  • BZ - 2447144 - CVE-2026-1525 undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers
  • BZ - 2447145 - CVE-2026-1528 undici: undici: Denial of Service via crafted WebSocket frame with large length
  • BZ - 2448754 - CVE-2026-27135 nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination
  • BZ - 2453037 - CVE-2026-21712 Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing
  • BZ - 2453151 - CVE-2026-21710 Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header
  • BZ - 2453152 - CVE-2026-21715 Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions
  • BZ - 2453157 - CVE-2026-21716 nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.
  • BZ - 2453158 - CVE-2026-21711 Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks
  • BZ - 2453160 - CVE-2026-21713 Node.js: Node.js: Information disclosure via timing oracle in HMAC verification
  • BZ - 2453161 - CVE-2026-21714 Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames
  • BZ - 2453162 - CVE-2026-21717 nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions

Red Hat Enterprise Linux for x86_64 10

SRPM
nodejs24-24.14.1-2.el10_1.src.rpm SHA-256: 32645d87b91033d91bc58398eb1ef8ab9e54874da6f758a9a94055742f0ed9a8
x86_64
nodejs24-24.14.1-2.el10_1.x86_64.rpm SHA-256: c76a49414a799fde96d465d98389403b5a9459dc9e7ee662984ad60ad9f87913
nodejs24-debuginfo-24.14.1-2.el10_1.x86_64.rpm SHA-256: 52332ce9421c4f4613ba2f25bb55d5302d9e3a7c5e91026a31f3aaa6d5429671
nodejs24-debugsource-24.14.1-2.el10_1.x86_64.rpm SHA-256: 8dc7f4b66cef73cdcb590380fcb519374c3e388906ddd542cb66d2a78a54afdb
nodejs24-devel-24.14.1-2.el10_1.x86_64.rpm SHA-256: 62dd6c904bad21cd7096de7120a6d61503c99e18f60de287329a2203bbc215ce
nodejs24-docs-24.14.1-2.el10_1.noarch.rpm SHA-256: aac435c47f83f4964e8d57ee8d0917c7ab6afcab2feb3a5e0ee0ec0d57e48649
nodejs24-full-i18n-24.14.1-2.el10_1.x86_64.rpm SHA-256: 7af6fdbc90f6f6b0290214a5959c0702bd6190274a66257d235fc92d78c9e3c4
nodejs24-libs-24.14.1-2.el10_1.x86_64.rpm SHA-256: 59d1ebaca3094843eee7d1e961d3a169f7df8e89df3753e82f7ac86d5f010c87
nodejs24-libs-debuginfo-24.14.1-2.el10_1.x86_64.rpm SHA-256: eeaf823a34ce14cea37be1a28ddd88d354f14515451ee4f560484b93ce30a19b
nodejs24-npm-11.11.0-1.24.14.1.2.el10_1.noarch.rpm SHA-256: eb951d332944365b19c038743082cfbc592702cf412d0a9cecd4f55f4ed888de

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
nodejs24-24.14.1-2.el10_1.src.rpm SHA-256: 32645d87b91033d91bc58398eb1ef8ab9e54874da6f758a9a94055742f0ed9a8
s390x
nodejs24-24.14.1-2.el10_1.s390x.rpm SHA-256: e8e1d5e8f925bcb4a849401f13239ecbfb3c729c72452595ad199863437a1f48
nodejs24-debuginfo-24.14.1-2.el10_1.s390x.rpm SHA-256: 08e671de32d5f72fa0f95e02a80d847c8beabd507ba11d3bf42d05cda2b80d98
nodejs24-debugsource-24.14.1-2.el10_1.s390x.rpm SHA-256: 2008ce8dea9a4ed41d7265a320c8dea702ae9f44c563f6d361d9f72622951b33
nodejs24-devel-24.14.1-2.el10_1.s390x.rpm SHA-256: 09955f3136c40609f42192fc9074975e063c861f9fbeaf71fdffbcedd81949a4
nodejs24-docs-24.14.1-2.el10_1.noarch.rpm SHA-256: aac435c47f83f4964e8d57ee8d0917c7ab6afcab2feb3a5e0ee0ec0d57e48649
nodejs24-full-i18n-24.14.1-2.el10_1.s390x.rpm SHA-256: 03f737d9f8ef3d1d0706a360eea75c69429a4cf529bdbdd634cbec18ad1256c5
nodejs24-libs-24.14.1-2.el10_1.s390x.rpm SHA-256: 50d3bea08143e923ddd0cb19c0c4efc39861ce23891badc87243ab2c71703f68
nodejs24-libs-debuginfo-24.14.1-2.el10_1.s390x.rpm SHA-256: 2ca3acdea680eed04b6e838a2e8e973c61a51d6f2cfffe2bfa9806871b98880a
nodejs24-npm-11.11.0-1.24.14.1.2.el10_1.noarch.rpm SHA-256: eb951d332944365b19c038743082cfbc592702cf412d0a9cecd4f55f4ed888de

Red Hat Enterprise Linux for Power, little endian 10

SRPM
nodejs24-24.14.1-2.el10_1.src.rpm SHA-256: 32645d87b91033d91bc58398eb1ef8ab9e54874da6f758a9a94055742f0ed9a8
ppc64le
nodejs24-24.14.1-2.el10_1.ppc64le.rpm SHA-256: 2a835483d1a0fc4b6a48cc10997e48cc454ae0bf6f2031af50fb89f9670ababa
nodejs24-debuginfo-24.14.1-2.el10_1.ppc64le.rpm SHA-256: d3a2cbf7623c2a8375c348777f6df721bce5973beb6c2106e6a9c5bb67d49943
nodejs24-debugsource-24.14.1-2.el10_1.ppc64le.rpm SHA-256: 2d7392a33356ec587f4b6040f5a8424125cdc4e4dae5fc6c8201ae4e3f522e0b
nodejs24-devel-24.14.1-2.el10_1.ppc64le.rpm SHA-256: cf448e5cf6caf24206dbd10fe0bafbd907f91f1b7d66c814d3c6deb2757467cb
nodejs24-docs-24.14.1-2.el10_1.noarch.rpm SHA-256: aac435c47f83f4964e8d57ee8d0917c7ab6afcab2feb3a5e0ee0ec0d57e48649
nodejs24-full-i18n-24.14.1-2.el10_1.ppc64le.rpm SHA-256: 039ba6bb8f66d45c1391ba5f674f97bd3798a683f6349b2e6367cab99681c6fb
nodejs24-libs-24.14.1-2.el10_1.ppc64le.rpm SHA-256: d993cf7387a287d633efe201895a96d81faba1d1b19086baa1e49d2a87a3cd28
nodejs24-libs-debuginfo-24.14.1-2.el10_1.ppc64le.rpm SHA-256: 0ff995b445f73d09db1ebf81aabe742f9ae080a2f587fd0e4b47a0135b6c2e77
nodejs24-npm-11.11.0-1.24.14.1.2.el10_1.noarch.rpm SHA-256: eb951d332944365b19c038743082cfbc592702cf412d0a9cecd4f55f4ed888de

Red Hat Enterprise Linux for ARM 64 10

SRPM
nodejs24-24.14.1-2.el10_1.src.rpm SHA-256: 32645d87b91033d91bc58398eb1ef8ab9e54874da6f758a9a94055742f0ed9a8
aarch64
nodejs24-24.14.1-2.el10_1.aarch64.rpm SHA-256: 579c1c5a4f86078f650752d8c74282df799fecf0668a3b2e475d737498a3a4e8
nodejs24-debuginfo-24.14.1-2.el10_1.aarch64.rpm SHA-256: 3e33c82fce0ebfc8c50314a0a7e45bfab1830669b8e51d5f10c438f73dd42c74
nodejs24-debugsource-24.14.1-2.el10_1.aarch64.rpm SHA-256: 938cabfcb0d6b4eebf6cf1ff885a871033e917bf83fce0e31ca87811469498e4
nodejs24-devel-24.14.1-2.el10_1.aarch64.rpm SHA-256: 445f61f21a2ee1474b1fa6d338328ec7a63f5a5f141180610830a3ed776164c5
nodejs24-docs-24.14.1-2.el10_1.noarch.rpm SHA-256: aac435c47f83f4964e8d57ee8d0917c7ab6afcab2feb3a5e0ee0ec0d57e48649
nodejs24-full-i18n-24.14.1-2.el10_1.aarch64.rpm SHA-256: a5a992a3941a0ec782ad7b78e0801f74eae4640b147acb83f65e9886a958a714
nodejs24-libs-24.14.1-2.el10_1.aarch64.rpm SHA-256: 8706dc508e6d782cdf6f74fa8edd0da9a85f030404e649d0a427ada4e643b02b
nodejs24-libs-debuginfo-24.14.1-2.el10_1.aarch64.rpm SHA-256: 671098a84e223eca9ed4e8e9ccfaa28edc054c4b89a68b143f2c360f0178fa79
nodejs24-npm-11.11.0-1.24.14.1.2.el10_1.noarch.rpm SHA-256: eb951d332944365b19c038743082cfbc592702cf412d0a9cecd4f55f4ed888de

Red Hat 安全团队联络方式为 secalert@redhat.com。 更多联络细节请参考 https://access.redhat.com/security/team/contact/