RHSA-2026:38009
Vulnerability from csaf_redhat - Published: 2026-07-10 17:41 - Updated: 2026-07-14 12:38A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking one-request-per-line log structure and enabling log forgery against downstream consumers.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
|
A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici's HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket. Consequently, when the client dispatches a new request on that socket, it may associate the injected response with the new request, leading to responses being delivered to unintended recipients or requests. This could result in a low impact on data integrity.
CWE-940 - Improper Verification of Source of a Communication Channel| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. The cookie parser in the `parseSetCookie` function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as `Set-Cookie`, `Location`, or `Cache-Control`. The primary consequence is HTTP response header injection, which can lead to session fixation, open redirect, or cache poisoning.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintended information disclosure or a weakening of security protections for the user.
CWE-1286 - Improper Validation of Syntactic Correctness of Input| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nnodejs26:\n * nodejs26-26.5.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-bin-26.5.0-1.3.hum1 (noarch)\n * nodejs26-devel-26.5.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-docs-26.5.0-1.3.hum1 (noarch)\n * nodejs26-full-i18n-26.5.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-libs-26.5.0-1.3.hum1 (aarch64, x86_64)\n * nodejs26-npm-11.17.0-1.26.5.0.1.3.hum1 (noarch)\n * nodejs26-npm-bin-26.5.0-1.3.hum1 (noarch)\n * v8-14.6-devel-14.6.202.34-1.26.5.0.1.3.hum1 (aarch64, x86_64)\n * nodejs26-26.5.0-1.3.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:38009",
"url": "https://access.redhat.com/errata/RHSA-2026:38009"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-11525",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-9679",
"url": "https://access.redhat.com/security/cve/CVE-2026-9679"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-6733",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-12151",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-5078",
"url": "https://access.redhat.com/security/cve/CVE-2026-5078"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_38009.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-14T12:38:40+00:00",
"generator": {
"date": "2026-07-14T12:38:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:38009",
"initial_release_date": "2026-07-10T17:41:23+00:00",
"revision_history": [
{
"date": "2026-07-10T17:41:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-12T19:21:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-14T12:38:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@aarch64",
"product": {
"name": "nodejs26-main@aarch64",
"product_id": "nodejs26-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.5.0-1.3.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@src",
"product": {
"name": "nodejs26-main@src",
"product_id": "nodejs26-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.5.0-1.3.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@x86_64",
"product": {
"name": "nodejs26-main@x86_64",
"product_id": "nodejs26-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26@26.5.0-1.3.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs26-main@noarch",
"product": {
"name": "nodejs26-main@noarch",
"product_id": "nodejs26-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs26-bin@26.5.0-1.3.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@aarch64"
},
"product_reference": "nodejs26-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@noarch"
},
"product_reference": "nodejs26-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@src"
},
"product_reference": "nodejs26-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs26-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:nodejs26-main@x86_64"
},
"product_reference": "nodejs26-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-5078",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-03T08:00:55.116886+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2484311"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking one-request-per-line log structure and enabling log forgery against downstream consumers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "morgan: morgan: Log forgery due to unneutralized control characters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The morgan npm logging middleware is vulnerable to log forgery via unneutralized control characters in the :remote-user token extracted from Basic Authorization headers. A remote unauthenticated attacker can send crafted requests to inject forged log lines, impacting log integrity. Built-in combined, common, default, and short formats are affected; fixed in morgan 1.11.0. Affects ODF mcg-core, RHDH, hummingbird nodejs, cryostat, AAP portal, and other npm morgan consumers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-5078"
},
{
"category": "external",
"summary": "RHBZ#2484311",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484311"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-5078",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5078"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5078",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5078"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m",
"url": "https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m"
}
],
"release_date": "2026-06-03T05:56:49.512000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-10T17:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38009"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "morgan: morgan: Log forgery due to unneutralized control characters"
},
{
"cve": "CVE-2026-6733",
"cwe": {
"id": "CWE-940",
"name": "Improper Verification of Source of a Communication Channel"
},
"discovery_date": "2026-06-17T19:02:16.713859+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici\u0027s HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket. Consequently, when the client dispatches a new request on that socket, it may associate the injected response with the new request, leading to responses being delivered to unintended recipients or requests. This could result in a low impact on data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low: A flaw in Undici\u0027s HTTP/1.1 client, as used in various Red Hat products, allows an attacker-controlled upstream server to inject unsolicited responses onto reused keep-alive sockets. This can lead to incorrect response delivery, potentially impacting data integrity, but requires a compromised server and active keep-alive connections.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6733"
},
{
"category": "external",
"summary": "RHBZ#2490006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6733"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6733",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6733"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52"
},
{
"category": "external",
"summary": "https://hackerone.com/reports/3582376",
"url": "https://hackerone.com/reports/3582376"
}
],
"release_date": "2026-06-17T17:14:50.991000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-10T17:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38009"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery."
},
{
"cve": "CVE-2026-9679",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"discovery_date": "2026-06-17T19:03:52.323822+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490022"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. The cookie parser in the `parseSetCookie` function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as `Set-Cookie`, `Location`, or `Cache-Control`. The primary consequence is HTTP response header injection, which can lead to session fixation, open redirect, or cache poisoning.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate: A flaw in the `undici` library\u0027s cookie parser can lead to HTTP response header injection. This occurs when applications, such as proxies or middleware, incorrectly forward percent-decoded cookie values from upstream into downstream response headers. Successful exploitation could result in session fixation, open redirects, or cache poisoning.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9679"
},
{
"category": "external",
"summary": "RHBZ#2490022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490022"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9679"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9679",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9679"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv"
}
],
"release_date": "2026-06-17T16:56:18.579000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-10T17:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38009"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding"
},
{
"cve": "CVE-2026-11525",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-06-17T19:02:29.292011+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2490008"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie\u0027s SameSite policy to a less secure setting, potentially leading to unintended information disclosure or a weakening of security protections for the user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Low impact flaw in undici, as used in various Red Hat products, arises from incorrect parsing of the `SameSite` cookie attribute. A malicious server could exploit this by sending a specially crafted `Set-Cookie` header, causing the `SameSite` policy to be downgraded to a less secure setting. This could lead to a minor weakening of security protections or unintended information disclosure in applications that process and rely on these cookie attributes.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-11525"
},
{
"category": "external",
"summary": "RHBZ#2490008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490008"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-11525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-11525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11525"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m"
}
],
"release_date": "2026-06-17T17:31:03.163000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-10T17:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38009"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header"
},
{
"cve": "CVE-2026-12151",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-17T17:01:45.297604+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2489980"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important denial of service flaw in the `undici` WebSocket client allows a remote attacker to cause unbounded memory growth. By sending numerous small or empty WebSocket frames, an unauthenticated attacker can exhaust system memory, leading to a denial of service in Red Hat products that use the affected client.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-12151"
},
{
"category": "external",
"summary": "RHBZ#2489980",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-12151",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-12151"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
}
],
"release_date": "2026-06-17T16:05:38.785000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-10T17:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:38009"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:nodejs26-main@aarch64",
"Red Hat Hardened Images:nodejs26-main@noarch",
"Red Hat Hardened Images:nodejs26-main@src",
"Red Hat Hardened Images:nodejs26-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.