nodejs:22 security update
エラータID: AXSA:2026-432:01
リリース日:
2026/04/14 Tuesday - 18:59
題名:
nodejs:22 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- undici には、重複した Content-Length ヘッダーを許容してしまう
問題があるため、リモートの攻撃者により、HTTP リクエストスマグリング
攻撃やサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-1525)
- undici の WebSocket クライアントの permessage-deflate 拡張機能
の実装には、リソースの制限を実施していない問題があるため、リモート
の攻撃者により、サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性
が存在します。(CVE-2026-1526)
- undici の WebSocket クライアントの ByteParser には、演算処理で
オーバーフローが発生する問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-1528)
- Node.js の HTTP リクエストのハンドリング処理には、"__proto__"
という名前のヘッダーの扱いが不適切である問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-21710)
- undici の WebSocket クライアントの permessage-deflate 拡張機能
の実装には、server_max_window_bits パラメーターの検証が不適切である
問題があるため、リモートの攻撃者により、サービス拒否攻撃を可能と
する脆弱性が存在します。(CVE-2026-2229)
- @isaacs/brace-expansion のブレース展開処理には、範囲指定や
組み合わせ数に制限を設けていない問題があるため、リモートの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-25547)
- minimatch には、正規表現の不備に起因して意図せずリソースを消費
してしまう問題があるため、リモートの攻撃者により、多数の連続した
ワイルドカード文字 (*) などを含むように細工された正規表現の入力を
介して、正規表現サービス拒否攻撃 (CPU リソース枯渇) を可能とする
脆弱性が存在します。(CVE-2026-26996)
- nghttp2 には、内部状態の検証処理が不十分である問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2026-27135)
- minimatch の extglob 拡張の実装には、意図せずリソースを消費して
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-27904)
Modularity name: nodejs
Stream name: 22
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-1525
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
CVE-2026-1526
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
CVE-2026-1528
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVE-2026-2229
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
CVE-2026-25547
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
CVE-2026-26996
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
CVE-2026-27904
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1970+649398e7.src.rpm
MD5: bd7c6a4e29cac7ce45b8685a7a7f7f47
SHA-256: 1663b7b324bd50a254435066eac3c8500ac6c29d572609144bb54b182e2d5cbb
Size: 340.07 kB - nodejs-packaging-2021.06-6.module+el8+1970+649398e7.src.rpm
MD5: 10bacc0ddb4b6179af549dbe0d649e4b
SHA-256: 1cb44db2247aec5f77dc871b988e5f9ee15b50269c5207eb82df374f97ea0c78
Size: 30.99 kB - nodejs-22.22.2-1.module+el8+1970+649398e7.src.rpm
MD5: a5885d8b2c20cf5f9dbfb0440a7701e2
SHA-256: 9ba00b21d467ffd6b366a4d138ea5db4c2e5aed1d799a501125218224b35ea64
Size: 94.85 MB
Asianux Server 8 for x86_64
- nodejs-22.22.2-1.module+el8+1970+649398e7.x86_64.rpm
MD5: 96501845f22d3503f11a6fa3498b4cb4
SHA-256: e395d486c1af05488c348b157b41fa56973fd3c28427c0fbc4f700cfd06b378d
Size: 1.98 MB - nodejs-debugsource-22.22.2-1.module+el8+1970+649398e7.x86_64.rpm
MD5: 92d319c69fa60168a7530d00728c5ee1
SHA-256: bed89abe75c1978a26c4f5c8215bc353046b42a018e1d959c8e855c3186d5544
Size: 19.90 MB - nodejs-devel-22.22.2-1.module+el8+1970+649398e7.x86_64.rpm
MD5: 6f8f21c7d1a522a123a68ed174512fd3
SHA-256: a9d47d896cf6ef35489f5826a138cf84f4900a5448d44a03390eed18fe06ae2b
Size: 268.75 kB - nodejs-docs-22.22.2-1.module+el8+1970+649398e7.noarch.rpm
MD5: e071c15d68750ca39ff0d48426c93ca4
SHA-256: ffd354fe527db9eece7e454de3f8951739cbbfe8cd1216badf7e11f7630407e0
Size: 11.68 MB - nodejs-full-i18n-22.22.2-1.module+el8+1970+649398e7.x86_64.rpm
MD5: 9d4940f6f76b13401f3b3928aa12b76b
SHA-256: 17f1d3389356878f10a2ba79f253318c20479339d9a5aaebc6591cb4b1d693e0
Size: 8.60 MB - nodejs-libs-22.22.2-1.module+el8+1970+649398e7.x86_64.rpm
MD5: 52f23b3e65a00e037e80eed2d6e4d6e4
SHA-256: 44c393cef5c64434ee0278b25bd66fc305cb895bc56d8ee2c0447963a3c1bbde
Size: 20.68 MB - nodejs-nodemon-3.0.1-1.module+el8+1970+649398e7.noarch.rpm
MD5: f874612cb56e00ef73fb44e5061bfbaf
SHA-256: dcb15d0ecfc39a8c8a0637af467a1538ca100fda15e5b6cbf6be03eb068fd355
Size: 281.66 kB - nodejs-packaging-2021.06-6.module+el8+1970+649398e7.noarch.rpm
MD5: 079d83414b5c19efd3c1ffae46f8feb9
SHA-256: 9467b5dd62f484ae60e334825e3c95fd5304edaf0fb235c804dbaac1df3fad1d
Size: 24.51 kB - nodejs-packaging-bundler-2021.06-6.module+el8+1970+649398e7.noarch.rpm
MD5: 7bcaa91fe9155ed1160bb95ea9d85d68
SHA-256: 0e62dfae0eaebe95fbf7a83f5bb21048ef08560346bf8dd800519c2975cd61b4
Size: 14.10 kB - npm-10.9.7-1.22.22.2.1.module+el8+1970+649398e7.x86_64.rpm
MD5: e5eedf1f9bc8c646c786ed9280b1a270
SHA-256: dc4513f5772a5d8598466920fef7a9e6b0dacd9669626a7c7f6ab4c7d3728c9f
Size: 2.15 MB - v8-12.4-devel-12.4.254.21-1.22.22.2.1.module+el8+1970+649398e7.x86_64.rpm
MD5: 7b26d037f3de59f3af9620f38a57131c
SHA-256: d534b0843438a3bc65746df513cb5f8a829edb612d798d9049ec2907196554dd
Size: 15.17 kB
English