RHSA-2026:35841
Vulnerability from csaf_redhat - Published: 2026-07-06 04:52 - Updated: 2026-07-06 12:07A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici's HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket. Consequently, when the client dispatches a new request on that socket, it may associate the injected response with the new request, leading to responses being delivered to unintended recipients or requests. This could result in a low impact on data integrity.
CWE-940 - Improper Verification of Source of a Communication Channel| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. When undici's ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js's default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintended information disclosure or a weakening of security protections for the user.
CWE-1286 - Improper Validation of Syntactic Correctness of Input| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.
CWE-279 - Incorrect Execution-Assigned Permissions| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for nodejs24 is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Node.js is a platform built on Chrome\u0027s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.\n\nSecurity Fix(es):\n\n* ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (CVE-2026-42338)\n\n* undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (CVE-2026-12151)\n\n* undici: Undici: Information disclosure due to improper cache-control header parsing (CVE-2026-9678)\n\n* undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. (CVE-2026-6733)\n\n* undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (CVE-2026-11525)\n\n* undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy (CVE-2026-9697)\n\n* undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing (CVE-2026-6734)\n\n* nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames (CVE-2026-48619)\n\n* nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling (CVE-2026-48930)\n\n* nodejs: Node.js: Unauthorized file metadata modification (CVE-2026-48935)\n\n* nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() (CVE-2026-48933)\n\n* nodejs: Node.js: Certification validation bypass in TLS host verification (CVE-2026-48934)\n\n* Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency (CVE-2026-48928)\n\n* nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling (CVE-2026-48615)\n\n* nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch (CVE-2026-48618)\n\nBug Fix(es) and Enhancement(s):\n\n* nodejs24: Rebase to the latest Node.js 24 release [rhel-10.2.z] (JIRA:RHEL-186582)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:35841",
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "2489980",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980"
},
{
"category": "external",
"summary": "2490000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490000"
},
{
"category": "external",
"summary": "2490006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490006"
},
{
"category": "external",
"summary": "2490008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490008"
},
{
"category": "external",
"summary": "2490018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018"
},
{
"category": "external",
"summary": "2490024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490024"
},
{
"category": "external",
"summary": "2493325",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493325"
},
{
"category": "external",
"summary": "2493326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493326"
},
{
"category": "external",
"summary": "2493329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493329"
},
{
"category": "external",
"summary": "2493331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"
},
{
"category": "external",
"summary": "2493332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493332"
},
{
"category": "external",
"summary": "2493333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493333"
},
{
"category": "external",
"summary": "2493335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493335"
},
{
"category": "external",
"summary": "2493337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
},
{
"category": "external",
"summary": "RHEL-186582",
"url": "https://issues.redhat.com/browse/RHEL-186582"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_35841.json"
}
],
"title": "Red Hat Security Advisory: nodejs24 security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2026-07-06T12:07:47+00:00",
"generator": {
"date": "2026-07-06T12:07:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:35841",
"initial_release_date": "2026-07-06T04:52:46+00:00",
"revision_history": [
{
"date": "2026-07-06T04:52:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-06T04:52:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-06T12:07:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-1:24.18.0-1.el10_2.src",
"product": {
"name": "nodejs24-1:24.18.0-1.el10_2.src",
"product_id": "nodejs24-1:24.18.0-1.el10_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.18.0-1.el10_2?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-devel@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-full-i18n@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debugsource@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debuginfo@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"product": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"product_id": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs-debuginfo@24.18.0-1.el10_2?arch=aarch64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-devel@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-full-i18n@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debugsource@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debuginfo@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"product": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"product_id": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs-debuginfo@24.18.0-1.el10_2?arch=ppc64le\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-devel@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-full-i18n@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debugsource@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debuginfo@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"product": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"product_id": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs-debuginfo@24.18.0-1.el10_2?arch=s390x\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-devel@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-full-i18n@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debugsource@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-debuginfo@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"product": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"product_id": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-libs-debuginfo@24.18.0-1.el10_2?arch=x86_64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"product": {
"name": "nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"product_id": "nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-docs@24.18.0-1.el10_2?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch",
"product": {
"name": "nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch",
"product_id": "nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs24-npm@11.16.0-1.24.18.0.1.el10_2?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-1:24.18.0-1.el10_2.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src"
},
"product_reference": "nodejs24-1:24.18.0-1.el10_2.src",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-devel-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-docs-1:24.18.0-1.el10_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch"
},
"product_reference": "nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64"
},
"product_reference": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le"
},
"product_reference": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x"
},
"product_reference": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64"
},
"product_reference": "nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"relates_to_product_reference": "AppStream-10.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
},
"product_reference": "nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch",
"relates_to_product_reference": "AppStream-10.2.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6733",
"cwe": {
"id": "CWE-940",
"name": "Improper Verification of Source of a Communication Channel"
},
"discovery_date": "2026-06-17T19:02:16.713859+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici\u0027s HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket. Consequently, when the client dispatches a new request on that socket, it may associate the injected response with the new request, leading to responses being delivered to unintended recipients or requests. This could result in a low impact on data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low: A flaw in Undici\u0027s HTTP/1.1 client, as used in various Red Hat products, allows an attacker-controlled upstream server to inject unsolicited responses onto reused keep-alive sockets. This can lead to incorrect response delivery, potentially impacting data integrity, but requires a compromised server and active keep-alive connections.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"category": "external",
"summary": "RHBZ#2490006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6733"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6733",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6733"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/3582376",
"url": "https://hackerone.com/reports/3582376"
}
],
"release_date": "2026-06-17T17:14:50.991000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery."
},
{
"cve": "CVE-2026-6734",
"cwe": {
"id": "CWE-940",
"name": "Improper Verification of Source of a Communication Channel"
},
"discovery_date": "2026-06-17T19:04:00.272340+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490024"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When using Socks5ProxyAgent, undici incorrectly reuses a single connection pool across different origins. This can lead to cross-origin request routing, where sensitive credentials and data intended for one destination are sent to another. Consequently, responses from unintended origins may be trusted, and secure HTTPS connections could be silently downgraded to unencrypted HTTP, resulting in information disclosure and data integrity issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated as an Important security flaw. The `undici` library, when configured with `Socks5ProxyAgent` to handle requests for multiple origins, incorrectly reuses connection pools. This can lead to sensitive data and credentials being misrouted to unintended destinations, potentially downgrading HTTPS connections to HTTP and compromising data integrity and confidentiality. Red Hat products utilizing `undici` with `Socks5ProxyAgent` in multi-origin scenarios are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6734"
},
{
"category": "external",
"summary": "RHBZ#2490024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490024"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6734"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj"
}
],
"release_date": "2026-06-17T16:36:55.439000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "The single most impactful mitigation is applying network egress controls to restrict which external destinations affected applications can reach. Because the vulnerability causes requests to be misrouted to wrong origins, limiting the set of reachable origins directly reduces the attack surface. These controls collectively limit the blast radius of the connection pool misrouting \u2014 the attacker must compromise one of the explicitly allowed destinations rather than any arbitrary origin \u2014 but they do not fix the underlying logic bug.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing"
},
{
"cve": "CVE-2026-9678",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-06-17T19:01:33.359372+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490000"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from the cache, leading to information disclosure. This occurs when both authenticated and unauthenticated requests resolve to the same cache key.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: Undici: Information disclosure due to improper cache-control header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate information disclosure flaw in Undici\u0027s cache interceptor, when configured in shared-cache mode, allows an unauthenticated attacker to retrieve sensitive authenticated user data. This is due to incorrect parsing of Cache-Control headers containing whitespace-padded field names, leading to cached responses being served improperly. Red Hat products are affected if they explicitly enable shared-cache mode, forward Authorization headers, and process non-canonical Cache-Control directives.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9678"
},
{
"category": "external",
"summary": "RHBZ#2490000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9678",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9678"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9678"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"
}
],
"release_date": "2026-06-17T17:04:09.680000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undici: Undici: Information disclosure due to improper cache-control header parsing"
},
{
"cve": "CVE-2026-9697",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-17T19:03:30.813843+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490018"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When undici\u0027s ProxyAgent is configured with a SOCKS5 proxy Uniform Resource Identifier (URI), it silently ignores Transport Layer Security (TLS) options, such as custom Certificate Authorities (CAs). This allows a remote attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and tampering with HTTPS communications. The connection falls back to Node.js\u0027s default trust store, bypassing intended security configurations and potentially leading to information disclosure or arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important vulnerability. Applications using `undici`\u0027s `ProxyAgent` with a SOCKS5 proxy URI will silently ignore user-configured TLS options, including custom Certificate Authorities. This bypasses intended security controls for HTTPS communication, enabling a remote attacker to perform Man-in-the-Middle attacks, potentially leading to information disclosure or arbitrary code execution in affected Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9697"
},
{
"category": "external",
"summary": "RHBZ#2490018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490018"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9697",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9697"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9697"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g"
}
],
"release_date": "2026-06-17T16:46:42.706000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy"
},
{
"cve": "CVE-2026-11525",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-06-17T19:02:29.292011+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490008"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie\u0027s SameSite policy to a less secure setting, potentially leading to unintended information disclosure or a weakening of security protections for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Low impact flaw in undici, as used in various Red Hat products, arises from incorrect parsing of the `SameSite` cookie attribute. A malicious server could exploit this by sending a specially crafted `Set-Cookie` header, causing the `SameSite` policy to be downgraded to a less secure setting. This could lead to a minor weakening of security protections or unintended information disclosure in applications that process and rely on these cookie attributes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"category": "external",
"summary": "RHBZ#2490008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490008"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-11525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-11525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11525"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m"
}
],
"release_date": "2026-06-17T17:31:03.163000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header"
},
{
"cve": "CVE-2026-12151",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-17T17:01:45.297604+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489980"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important denial of service flaw in the `undici` WebSocket client allows a remote attacker to cause unbounded memory growth. By sending numerous small or empty WebSocket frames, an unauthenticated attacker can exhaust system memory, leading to a denial of service in Red Hat products that use the affected client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "RHBZ#2489980",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
}
],
"release_date": "2026-06-17T16:05:38.785000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames"
},
{
"cve": "CVE-2026-42338",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-12T21:01:14.436876+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476810"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in the `ip-address` JavaScript library is rated as Important. It allows for cross-site scripting (XSS) when an application processes untrusted input through the `Address6` constructor and subsequently renders the unescaped output of methods like `Address6.group()`, `Address6.link()`, or `AddressError.parseMessage` directly as HTML. While the library itself is affected, exploitation is contingent on specific application-level rendering practices that may not be common in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-42338"
},
{
"category": "external",
"summary": "RHBZ#2476810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"category": "external",
"summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
}
],
"release_date": "2026-05-12T19:43:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
},
{
"cve": "CVE-2026-48615",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-06-26T02:01:59.112093+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493335"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48615"
},
{
"category": "external",
"summary": "RHBZ#2493335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48615",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48615"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.524000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling"
},
{
"cve": "CVE-2026-48618",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:02:10.741725+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493337"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromise of sensitive information in applications utilizing Node.js for TLS connections. The issue affects Node.js versions 22, 24, and 26 as shipped in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48618"
},
{
"category": "external",
"summary": "RHBZ#2493337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48618"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.868000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch"
},
{
"cve": "CVE-2026-48619",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:06.466413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493325"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48619"
},
{
"category": "external",
"summary": "RHBZ#2493325",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493325"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48619",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48619"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.541000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames"
},
{
"cve": "CVE-2026-48928",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"discovery_date": "2026-06-26T02:01:48.441706+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493333"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS (mutual Transport Layer Security) setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive information or integrity compromise within the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48928"
},
{
"category": "external",
"summary": "RHBZ#2493333",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493333"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48928",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48928"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.981000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency"
},
{
"cve": "CVE-2026-48930",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"discovery_date": "2026-06-26T02:01:11.476251+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493326"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48930"
},
{
"category": "external",
"summary": "RHBZ#2493326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48930"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48930"
},
{
"category": "external",
"summary": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e",
"url": "https://github.com/nodejs/node/commit/7dafafa2424710ded8b77eb7c878e884c1aef64e"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/3656716",
"url": "https://hackerone.com/reports/3656716"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:37.006000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling"
},
{
"cve": "CVE-2026-48933",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-26T02:01:39.107538+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493331"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in Node.js WebCrypto, as a remote attacker can crash the Node.js process by providing a specially crafted large input to the `subtle.encrypt()` function. This could lead to service unavailability in Red Hat environments where Node.js applications process untrusted data with WebCrypto.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48933"
},
{
"category": "external",
"summary": "RHBZ#2493331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48933"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.823000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()"
},
{
"cve": "CVE-2026-48934",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-06-26T02:01:43.284771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493332"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. An attacker can exploit a vulnerability in the Transport Layer Security (TLS) host verification process to bypass certification validation. This bypass could allow an attacker to intercept or alter communications, potentially leading to information disclosure or integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Certification validation bypass in TLS host verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48934"
},
{
"category": "external",
"summary": "RHBZ#2493332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48934"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.894000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs: Node.js: Certification validation bypass in TLS host verification"
},
{
"cve": "CVE-2026-48935",
"cwe": {
"id": "CWE-279",
"name": "Incorrect Execution-Assigned Permissions"
},
"discovery_date": "2026-06-26T02:01:29.191932+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2493329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: Node.js: Unauthorized file metadata modification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48935"
},
{
"category": "external",
"summary": "RHBZ#2493329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48935",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48935"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"release_date": "2026-06-26T01:14:36.641000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-06T04:52:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35841"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.src",
"AppStream-10.2.Z:nodejs24-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-debugsource-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-devel-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-docs-1:24.18.0-1.el10_2.noarch",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-full-i18n-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.aarch64",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.ppc64le",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.s390x",
"AppStream-10.2.Z:nodejs24-libs-debuginfo-1:24.18.0-1.el10_2.x86_64",
"AppStream-10.2.Z:nodejs24-npm-1:11.16.0-1.24.18.0.1.el10_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: Node.js: Unauthorized file metadata modification"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.