RHSA-2026:38009

Vulnerability from csaf_redhat - Published: 2026-07-10 17:41 - Updated: 2026-07-14 12:38
Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs: nodejs26: * nodejs26-26.5.0-1.3.hum1 (aarch64, x86_64) * nodejs26-bin-26.5.0-1.3.hum1 (noarch) * nodejs26-devel-26.5.0-1.3.hum1 (aarch64, x86_64) * nodejs26-docs-26.5.0-1.3.hum1 (noarch) * nodejs26-full-i18n-26.5.0-1.3.hum1 (aarch64, x86_64) * nodejs26-libs-26.5.0-1.3.hum1 (aarch64, x86_64) * nodejs26-npm-11.17.0-1.26.5.0.1.3.hum1 (noarch) * nodejs26-npm-bin-26.5.0-1.3.hum1 (noarch) * v8-14.6-devel-14.6.202.34-1.26.5.0.1.3.hum1 (aarch64, x86_64) * nodejs26-26.5.0-1.3.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking one-request-per-line log structure and enabling log forgery against downstream consumers.

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64
Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch
Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src
Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64
Vendor Fix fix
Threats
Impact Moderate

A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici's HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket. Consequently, when the client dispatches a new request on that socket, it may associate the injected response with the new request, leading to responses being delivered to unintended recipients or requests. This could result in a low impact on data integrity.

CWE-940 - Improper Verification of Source of a Communication Channel
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Low

A flaw was found in undici. The cookie parser in the `parseSetCookie` function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as `Set-Cookie`, `Location`, or `Cache-Control`. The primary consequence is HTTP response header injection, which can lead to session fixation, open redirect, or cache poisoning.

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Moderate

A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintended information disclosure or a weakening of security protections for the user.

CWE-1286 - Improper Validation of Syntactic Correctness of Input
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Low

A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.

CWE-770 - Allocation of Resources Without Limits or Throttling
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Hardened Images:nodejs26-main@aarch64
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@noarch
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@src
Vendor Fix fix
Workaround
Unresolved product id: Red Hat Hardened Images:nodejs26-main@x86_64
Vendor Fix fix
Workaround
Threats
Impact Important
References
URL Category
https://access.redhat.com/errata/RHSA-2026:38009 self
https://images.redhat.com/ external
https://access.redhat.com/security/cve/CVE-2026-11525 external
https://access.redhat.com/security/updates/classi… external
https://access.redhat.com/security/cve/CVE-2026-9679 external
https://access.redhat.com/security/cve/CVE-2026-6733 external
https://access.redhat.com/security/cve/CVE-2026-12151 external
https://access.redhat.com/security/cve/CVE-2026-5078 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2026-5078 self
https://bugzilla.redhat.com/show_bug.cgi?id=2484311 external
https://www.cve.org/CVERecord?id=CVE-2026-5078 external
https://nvd.nist.gov/vuln/detail/CVE-2026-5078 external
https://cna.openjsf.org/security-advisories.html external
https://github.com/expressjs/morgan/security/advi… external
https://access.redhat.com/security/cve/CVE-2026-6733 self
https://bugzilla.redhat.com/show_bug.cgi?id=2490006 external
https://www.cve.org/CVERecord?id=CVE-2026-6733 external
https://nvd.nist.gov/vuln/detail/CVE-2026-6733 external
https://github.com/nodejs/undici/security/advisor… external
https://hackerone.com/reports/3582376 external
https://access.redhat.com/security/cve/CVE-2026-9679 self
https://bugzilla.redhat.com/show_bug.cgi?id=2490022 external
https://www.cve.org/CVERecord?id=CVE-2026-9679 external
https://nvd.nist.gov/vuln/detail/CVE-2026-9679 external
https://github.com/nodejs/undici/security/advisor… external
https://access.redhat.com/security/cve/CVE-2026-11525 self
https://bugzilla.redhat.com/show_bug.cgi?id=2490008 external
https://www.cve.org/CVERecord?id=CVE-2026-11525 external
https://nvd.nist.gov/vuln/detail/CVE-2026-11525 external
https://github.com/nodejs/undici/security/advisor… external
https://access.redhat.com/security/cve/CVE-2026-12151 self
https://bugzilla.redhat.com/show_bug.cgi?id=2489980 external
https://www.cve.org/CVERecord?id=CVE-2026-12151 external
https://nvd.nist.gov/vuln/detail/CVE-2026-12151 external
https://github.com/nodejs/undici/security/advisor… external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nnodejs26:\n  * nodejs26-26.5.0-1.3.hum1 (aarch64, x86_64)\n  * nodejs26-bin-26.5.0-1.3.hum1 (noarch)\n  * nodejs26-devel-26.5.0-1.3.hum1 (aarch64, x86_64)\n  * nodejs26-docs-26.5.0-1.3.hum1 (noarch)\n  * nodejs26-full-i18n-26.5.0-1.3.hum1 (aarch64, x86_64)\n  * nodejs26-libs-26.5.0-1.3.hum1 (aarch64, x86_64)\n  * nodejs26-npm-11.17.0-1.26.5.0.1.3.hum1 (noarch)\n  * nodejs26-npm-bin-26.5.0-1.3.hum1 (noarch)\n  * v8-14.6-devel-14.6.202.34-1.26.5.0.1.3.hum1 (aarch64, x86_64)\n  * nodejs26-26.5.0-1.3.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:38009",
        "url": "https://access.redhat.com/errata/RHSA-2026:38009"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-11525",
        "url": "https://access.redhat.com/security/cve/CVE-2026-11525"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9679",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9679"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-6733",
        "url": "https://access.redhat.com/security/cve/CVE-2026-6733"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-12151",
        "url": "https://access.redhat.com/security/cve/CVE-2026-12151"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-5078",
        "url": "https://access.redhat.com/security/cve/CVE-2026-5078"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_38009.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-07-14T12:38:40+00:00",
      "generator": {
        "date": "2026-07-14T12:38:40+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.2"
        }
      },
      "id": "RHSA-2026:38009",
      "initial_release_date": "2026-07-10T17:41:23+00:00",
      "revision_history": [
        {
          "date": "2026-07-10T17:41:23+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-07-12T19:21:09+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-07-14T12:38:40+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@aarch64",
                "product": {
                  "name": "nodejs26-main@aarch64",
                  "product_id": "nodejs26-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26@26.5.0-1.3.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@src",
                "product": {
                  "name": "nodejs26-main@src",
                  "product_id": "nodejs26-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26@26.5.0-1.3.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@x86_64",
                "product": {
                  "name": "nodejs26-main@x86_64",
                  "product_id": "nodejs26-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26@26.5.0-1.3.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs26-main@noarch",
                "product": {
                  "name": "nodejs26-main@noarch",
                  "product_id": "nodejs26-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs26-bin@26.5.0-1.3.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@aarch64"
        },
        "product_reference": "nodejs26-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@noarch"
        },
        "product_reference": "nodejs26-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@src"
        },
        "product_reference": "nodejs26-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs26-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs26-main@x86_64"
        },
        "product_reference": "nodejs26-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-5078",
      "cwe": {
        "id": "CWE-93",
        "name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
      },
      "discovery_date": "2026-06-03T08:00:55.116886+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2484311"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking one-request-per-line log structure and enabling log forgery against downstream consumers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "morgan: morgan: Log forgery due to unneutralized control characters",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The morgan npm logging middleware is vulnerable to log forgery via unneutralized control characters in the :remote-user token extracted from Basic Authorization headers. A remote unauthenticated attacker can send crafted requests to inject forged log lines, impacting log integrity. Built-in combined, common, default, and short formats are affected; fixed in morgan 1.11.0. Affects ODF mcg-core, RHDH, hummingbird nodejs, cryostat, AAP portal, and other npm morgan consumers.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-5078"
        },
        {
          "category": "external",
          "summary": "RHBZ#2484311",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484311"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-5078",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5078"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5078",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5078"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m",
          "url": "https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m"
        }
      ],
      "release_date": "2026-06-03T05:56:49.512000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-10T17:41:23+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:38009"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "morgan: morgan: Log forgery due to unneutralized control characters"
    },
    {
      "cve": "CVE-2026-6733",
      "cwe": {
        "id": "CWE-940",
        "name": "Improper Verification of Source of a Communication Channel"
      },
      "discovery_date": "2026-06-17T19:02:16.713859+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490006"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undici. An attacker-controlled upstream server can exploit a vulnerability in Undici\u0027s HTTP/1.1 client, specifically related to response queue poisoning on reused keep-alive sockets. This allows the attacker to inject an unsolicited HTTP/1.1 response onto an idle socket. Consequently, when the client dispatches a new request on that socket, it may associate the injected response with the new request, leading to responses being delivered to unintended recipients or requests. This could result in a low impact on data integrity.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Low: A flaw in Undici\u0027s HTTP/1.1 client, as used in various Red Hat products, allows an attacker-controlled upstream server to inject unsolicited responses onto reused keep-alive sockets. This can lead to incorrect response delivery, potentially impacting data integrity, but requires a compromised server and active keep-alive connections.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-6733"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490006",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490006"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-6733",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6733"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6733",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6733"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52"
        },
        {
          "category": "external",
          "summary": "https://hackerone.com/reports/3582376",
          "url": "https://hackerone.com/reports/3582376"
        }
      ],
      "release_date": "2026-06-17T17:14:50.991000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-10T17:41:23+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:38009"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery."
    },
    {
      "cve": "CVE-2026-9679",
      "cwe": {
        "id": "CWE-93",
        "name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
      },
      "discovery_date": "2026-06-17T19:03:52.323822+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490022"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undici. The cookie parser in the `parseSetCookie` function incorrectly decodes cookie values, which is contrary to standard specifications. This vulnerability allows an attacker-controlled upstream to inject arbitrary HTTP response headers, such as `Set-Cookie`, `Location`, or `Cache-Control`. The primary consequence is HTTP response header injection, which can lead to session fixation, open redirect, or cache poisoning.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Moderate: A flaw in the `undici` library\u0027s cookie parser can lead to HTTP response header injection. This occurs when applications, such as proxies or middleware, incorrectly forward percent-decoded cookie values from upstream into downstream response headers. Successful exploitation could result in session fixation, open redirects, or cache poisoning.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9679"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490022",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490022"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9679",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9679"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9679",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9679"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv"
        }
      ],
      "release_date": "2026-06-17T16:56:18.579000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-10T17:41:23+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:38009"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding"
    },
    {
      "cve": "CVE-2026-11525",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2026-06-17T19:02:29.292011+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2490008"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie\u0027s SameSite policy to a less secure setting, potentially leading to unintended information disclosure or a weakening of security protections for the user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Low impact flaw in undici, as used in various Red Hat products, arises from incorrect parsing of the `SameSite` cookie attribute. A malicious server could exploit this by sending a specially crafted `Set-Cookie` header, causing the `SameSite` policy to be downgraded to a less secure setting. This could lead to a minor weakening of security protections or unintended information disclosure in applications that process and rely on these cookie attributes.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-11525"
        },
        {
          "category": "external",
          "summary": "RHBZ#2490008",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490008"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-11525",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-11525"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-11525",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11525"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m"
        }
      ],
      "release_date": "2026-06-17T17:31:03.163000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-10T17:41:23+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:38009"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header"
    },
    {
      "cve": "CVE-2026-12151",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-06-17T17:01:45.297604+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2489980"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion, resulting in a denial of service (DoS) for affected applications using the undici WebSocket client or WebSocketStream API.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Important denial of service flaw in the `undici` WebSocket client allows a remote attacker to cause unbounded memory growth. By sending numerous small or empty WebSocket frames, an unauthenticated attacker can exhaust system memory, leading to a denial of service in Red Hat products that use the affected client.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs26-main@aarch64",
          "Red Hat Hardened Images:nodejs26-main@noarch",
          "Red Hat Hardened Images:nodejs26-main@src",
          "Red Hat Hardened Images:nodejs26-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-12151"
        },
        {
          "category": "external",
          "summary": "RHBZ#2489980",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489980"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-12151",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-12151"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q",
          "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
        }
      ],
      "release_date": "2026-06-17T16:05:38.785000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-07-10T17:41:23+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:38009"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs26-main@aarch64",
            "Red Hat Hardened Images:nodejs26-main@noarch",
            "Red Hat Hardened Images:nodejs26-main@src",
            "Red Hat Hardened Images:nodejs26-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…