Red Hat Security Advisory: nodejs:22 security update
🔗 CVE IDs covered (9)
📋 Description
CVE-2026-1525 — undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers
CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression
CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length
CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
CVE-2026-21710 — Node.js: Node.js: Denial of Service due to crafted HTTP __proto__ header
CVE-2026-25547 — brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion
CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns
CVE-2026-27135 — nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination
CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
🔗 References (12)
- selfhttps://access.redhat.com/errata/RHSA-2026:7983
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2436942
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2441268
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2442922
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2447142
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2447143
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2447144
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2447145
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2448754
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2453151
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7983.json