Red Hat Security Advisory: nodejs24 security update
A security update for Node. js 24 on Red Hat Enterprise Linux 10 addresses multiple vulnerabilities including denial of service, information disclosure, permission bypass, HTTP request smuggling, and unauthorized inter-process communication. The update fixes 18 CVEs affecting components such as undici, nghttp2, brace-expansion, minimatch, and the V8 engine. These vulnerabilities could allow attackers to cause denial of service, leak information, or bypass security restrictions. Red Hat has released patches for these issues as part of advisory RHSA-2026:7675.
AI Analysis
Technical Summary
This Red Hat security advisory (RHSA-2026:7675) covers an important update to nodejs24 on Red Hat Enterprise Linux 10, addressing 18 distinct vulnerabilities. These include denial of service flaws in Node.js core, undici HTTP client library, nghttp2 HTTP/2 library, and related packages (brace-expansion, minimatch). Other issues fixed include HTTP header injection, request smuggling, information disclosure via filesystem and HMAC timing attacks, permission bypass allowing unauthorized file permission changes, and missing Unix Domain Socket permission checks enabling unauthorized inter-process communication. The update mitigates risks from crafted inputs causing resource exhaustion, memory leaks, and security bypasses. No CVSS scores are provided in the advisory, but the severity is rated as important by Red Hat.
Potential Impact
The vulnerabilities collectively impact Node.js 24 on Red Hat Enterprise Linux 10, potentially allowing attackers to cause denial of service conditions, leak sensitive information, perform unauthorized modifications to file permissions, and bypass inter-process communication restrictions. These issues could disrupt application availability and compromise security controls. No known exploits in the wild have been reported at the time of this advisory.
Mitigation Recommendations
Red Hat has released an official security update for nodejs24 as detailed in advisory RHSA-2026:7675. Users should apply this update promptly to remediate the vulnerabilities. For instructions on applying the update, refer to https://access.redhat.com/articles/11258. Since this is an official fix, no additional mitigation steps are required beyond applying the update.
Red Hat Security Advisory: nodejs24 security update
Description
A security update for Node. js 24 on Red Hat Enterprise Linux 10 addresses multiple vulnerabilities including denial of service, information disclosure, permission bypass, HTTP request smuggling, and unauthorized inter-process communication. The update fixes 18 CVEs affecting components such as undici, nghttp2, brace-expansion, minimatch, and the V8 engine. These vulnerabilities could allow attackers to cause denial of service, leak information, or bypass security restrictions. Red Hat has released patches for these issues as part of advisory RHSA-2026:7675.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This Red Hat security advisory (RHSA-2026:7675) covers an important update to nodejs24 on Red Hat Enterprise Linux 10, addressing 18 distinct vulnerabilities. These include denial of service flaws in Node.js core, undici HTTP client library, nghttp2 HTTP/2 library, and related packages (brace-expansion, minimatch). Other issues fixed include HTTP header injection, request smuggling, information disclosure via filesystem and HMAC timing attacks, permission bypass allowing unauthorized file permission changes, and missing Unix Domain Socket permission checks enabling unauthorized inter-process communication. The update mitigates risks from crafted inputs causing resource exhaustion, memory leaks, and security bypasses. No CVSS scores are provided in the advisory, but the severity is rated as important by Red Hat.
Potential Impact
The vulnerabilities collectively impact Node.js 24 on Red Hat Enterprise Linux 10, potentially allowing attackers to cause denial of service conditions, leak sensitive information, perform unauthorized modifications to file permissions, and bypass inter-process communication restrictions. These issues could disrupt application availability and compromise security controls. No known exploits in the wild have been reported at the time of this advisory.
Mitigation Recommendations
Red Hat has released an official security update for nodejs24 as detailed in advisory RHSA-2026:7675. Users should apply this update promptly to remediate the vulnerabilities. For instructions on applying the update, refer to https://access.redhat.com/articles/11258. Since this is an official fix, no additional mitigation steps are required beyond applying the update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:7675
- Cve Count
- 18
- Additional Cves
- ["CVE-2026-1526","CVE-2026-1527","CVE-2026-1528","CVE-2026-2229","CVE-2026-2581","CVE-2026-21637","CVE-2026-21710","CVE-2026-21711","CVE-2026-21712","CVE-2026-21713","CVE-2026-21714","CVE-2026-21715","CVE-2026-21716","CVE-2026-21717","CVE-2026-25547","CVE-2026-26996","CVE-2026-27135"]
- Cvss Version
- null
Threat ID: 6a160983e29bf47b5064feaa
Added to database: 5/26/2026, 8:58:43 PM
Last enriched: 5/26/2026, 9:48:45 PM
Last updated: 5/26/2026, 10:03:50 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.