RHSA-2026:35841HighCVSS 8.1

Red Hat Security Advisory: nodejs24 security, bug fix, and enhancement update

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (15)

📋 Description

CVE-2026-6733 — undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. CVE-2026-6734 — undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing CVE-2026-9678 — undici: Undici: Information disclosure due to improper cache-control header parsing CVE-2026-9697 — undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy CVE-2026-11525 — undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header CVE-2026-12151 — undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames CVE-2026-42338 — ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-48615 — nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling CVE-2026-48618 — nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch CVE-2026-48619 — nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames CVE-2026-48928 — Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency CVE-2026-48930 — nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling CVE-2026-48933 — nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() CVE-2026-48934 — nodejs: Node.js: Certification validation bypass in TLS host verification CVE-2026-48935 — nodejs: Node.js: Unauthorized file metadata modification

🔗 References (19)