RLSA-2026:7350

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

• nodejs: Nodejs denial of service (CVE-2026-21637)

• brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)

• minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)

• undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)

• undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)

• undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)

• undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)

• undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)

• undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)

• nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

• Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)

• Node.js: Node.js: Denial of Service due to crafted HTTP __proto__ header (CVE-2026-21710)

• Node.js: Node.js: Information disclosure due to fs.realpathSync.native() bypassing filesystem read restrictions (CVE-2026-21715)

• nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)

• Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)

• Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)

• Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)

• nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.