[Apollo] Advisories Statistics light light Login

RLSA-2026:7302

Security Mirrored from RHSA-2026:7302
Issued at: 2026-04-09
Updated at: 2026-04-10

Synopsis

Important: nodejs:22 security update



Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)

* minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

* minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)

* undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)

* undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)

* undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)

* undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)

* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

* Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Affected products

Rocky Linux 9 aarch64 Rocky Linux 9 ppc64le Rocky Linux 9 s390x Rocky Linux 9 x86_64

Fixes

2436942 2441268 2442922 2447142 2447143 2447144 2447145 2448754 2453151

CVEs

CVE-2026-1525 CVE-2026-1526 CVE-2026-1528 CVE-2026-21710 CVE-2026-2229 CVE-2026-25547 CVE-2026-26996 CVE-2026-27135 CVE-2026-27904

Affected packages

Rocky Linux 9 x86_64 - AppStream

nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.src.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.src.rpm nodejs-packaging-bundler-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm

Rocky Linux 9 aarch64 - AppStream

nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.src.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.src.rpm nodejs-packaging-bundler-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm

Rocky Linux 9 s390x - AppStream

nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.src.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.src.rpm nodejs-packaging-bundler-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm

Rocky Linux 9 ppc64le - AppStream

nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.noarch.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40018+a011993d.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40022+9ecc286c.src.rpm nodejs-nodemon-0:3.0.1-1.module+el9.7.0+40017+f0db1785.src.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm nodejs-packaging-0:2021.06-6.module+el9.7.0+40052+e32ea525.src.rpm nodejs-packaging-bundler-0:2021.06-6.module+el9.7.0+40052+e32ea525.noarch.rpm