RLSA-2026:7123

See a problem?
Please try reporting it to the source first.

Source

https://errata.rockylinux.org/RLSA-2026:7123

Import Source

https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json

JSON Data

https://api.test.osv.dev/v1/vulns/RLSA-2026:7123

Upstream

CVE-2026-1525

CVE-2026-1526

CVE-2026-1528

CVE-2026-21710

CVE-2026-2229

CVE-2026-25547

CVE-2026-26996

CVE-2026-27135

CVE-2026-27904

Published

2026-04-09T00:01:14.433042Z

Modified

2026-04-09T00:30:06.691635Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Important: nodejs:22 security update

Details

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
Node.js: Node.js: Denial of Service due to crafted HTTP __proto__ header (CVE-2026-21710)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

Credits

- Rocky Enterprise Software Foundation
- Red Hat

Affected packages

Rocky Linux:8

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1666+930e28e8

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.9.0+1760+903d54b9

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1667+4a788d89

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1823+b5789597

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1924+614dc87f

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1988+437f3d23

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1824+532140ee

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1935+d3cbe60f

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-nodemon

Package

Name: nodejs-nodemon
Purl: pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:3.0.1-1.module+el8.10.0+1989+e60144d9

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"

nodejs-packaging

Package

Name: nodejs-packaging
Purl: pkg:rpm/rocky-linux/nodejs-packaging?distro=rocky-linux-8-x86-64&epoch=0

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

0:2021.06-6.module+el8.10.0+40048+6d99f608

Database specific

{
    "yum_repository": "AppStream"
}

Database specific

source

"https://storage.googleapis.com/resf-osv-data/RLSA-2026:7123.json"