Red Hat Security Advisory: nodejs24 security, bug fix, and enhancement update
🔗 CVE IDs covered (15)
📋 Description
CVE-2026-6733 — undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. CVE-2026-6734 — undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing CVE-2026-9678 — undici: Undici: Information disclosure due to improper cache-control header parsing CVE-2026-9697 — undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy CVE-2026-11525 — undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header CVE-2026-12151 — undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames CVE-2026-42338 — ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-48615 — nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling CVE-2026-48618 — nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch CVE-2026-48619 — nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames CVE-2026-48928 — Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency CVE-2026-48930 — nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling CVE-2026-48933 — nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt() CVE-2026-48934 — nodejs: Node.js: Certification validation bypass in TLS host verification CVE-2026-48935 — nodejs: Node.js: Unauthorized file metadata modification
🔗 References (19)
- selfhttps://access.redhat.com/errata/RHSA-2026:35841
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2476810
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2489980
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2490000
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2490006
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2490008
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2490018
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2490024
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493325
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493326
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493329
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493331
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493332
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493333
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493335
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2493337
- externalhttps://issues.redhat.com/browse/RHEL-186582
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_35841.json