[Apollo] Advisories Statistics light light Login

RLSA-2026:35841

Security Mirrored from RHSA-2026:35841
Issued at: 2026-07-10
Updated at: 2026-07-12

Synopsis

Important: nodejs24 security, bug fix, and enhancement update



Description

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

* ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)

* undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)

* undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)

* undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)

* undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)

* undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)

* undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)

* nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)

* nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)

* nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)

* nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)

* nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)

* Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)

* nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)

* nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)

Bug Fix(es) and Enhancement(s):

* nodejs24: Rebase to the latest Node.js 24 release [rhel-10.2.z] (JIRA:Rocky Linux-186582)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Affected products

Rocky Linux 10 aarch64 Rocky Linux 10 ppc64le Rocky Linux 10 riscv64 Rocky Linux 10 s390x Rocky Linux 10 x86_64

Fixes

2490006 2476810 2490008 2490024 2493333 2493329 2493335 2493331 2489980 2493332 2490000 2493326 2490018 2493325 2493337

CVEs

CVE-2026-11525 CVE-2026-12151 CVE-2026-42338 CVE-2026-48615 CVE-2026-48618 CVE-2026-48619 CVE-2026-48928 CVE-2026-48930 CVE-2026-48933 CVE-2026-48934 CVE-2026-48935 CVE-2026-6733 CVE-2026-6734 CVE-2026-9678 CVE-2026-9697

Affected packages

Rocky Linux 10 ppc64le - AppStream

nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le.rpm nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le.rpm nodejs24-docs-1:24.18.0-1.el10_2.noarch.rpm nodejs24-libs-1:24.18.0-1.el10_2.ppc64le.rpm nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le.rpm nodejs24-1:24.18.0-1.el10_2.src.rpm nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch.rpm nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le.rpm nodejs24-devel-1:24.18.0-1.el10_2.ppc64le.rpm nodejs24-1:24.18.0-1.el10_2.ppc64le.rpm

Rocky Linux 10 s390x - AppStream

nodejs24-devel-1:24.18.0-1.el10_2.s390x.rpm nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x.rpm nodejs24-debugsource-1:24.18.0-1.el10_2.s390x.rpm nodejs24-docs-1:24.18.0-1.el10_2.noarch.rpm nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x.rpm nodejs24-1:24.18.0-1.el10_2.src.rpm nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch.rpm nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x.rpm nodejs24-libs-1:24.18.0-1.el10_2.s390x.rpm nodejs24-1:24.18.0-1.el10_2.s390x.rpm

Rocky Linux 10 x86_64 - AppStream

nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64.rpm nodejs24-1:24.18.0-1.el10_2.x86_64.rpm nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64.rpm nodejs24-docs-1:24.18.0-1.el10_2.noarch.rpm nodejs24-1:24.18.0-1.el10_2.src.rpm nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch.rpm nodejs24-libs-1:24.18.0-1.el10_2.x86_64.rpm nodejs24-devel-1:24.18.0-1.el10_2.x86_64.rpm nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64.rpm nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64.rpm

Rocky Linux 10 aarch64 - AppStream

nodejs24-devel-1:24.18.0-1.el10_2.aarch64.rpm nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64.rpm nodejs24-docs-1:24.18.0-1.el10_2.noarch.rpm nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64.rpm nodejs24-libs-1:24.18.0-1.el10_2.aarch64.rpm nodejs24-1:24.18.0-1.el10_2.src.rpm nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch.rpm nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64.rpm nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64.rpm nodejs24-1:24.18.0-1.el10_2.aarch64.rpm

Rocky Linux 10 riscv64 - AppStream

nodejs24-docs-1:24.18.0-1.el10_2.noarch.rpm nodejs24-1:24.18.0-1.el10_2.src.rpm nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch.rpm