nodejs:22 security update
エラータID: AXSA:2026-446:01
リリース日:
2026/04/17 Friday - 18:38
題名:
nodejs:22 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- undici には、重複した Content-Length ヘッダーを許容してしまう
問題があるため、リモートの攻撃者により、HTTP リクエストスマグリング
攻撃やサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-1525)
- undici の WebSocket クライアントの permessage-deflate 拡張機能
の実装には、リソースの制限を実施していない問題があるため、リモート
の攻撃者により、サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性
が存在します。(CVE-2026-1526)
- undici の WebSocket クライアントの ByteParser には、演算処理で
オーバーフローが発生する問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-1528)
- Node.js の HTTP リクエストのハンドリング処理には、"__proto__"
という名前のヘッダーの扱いが不適切である問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-21710)
- undici の WebSocket クライアントの permessage-deflate 拡張機能
の実装には、server_max_window_bits パラメーターの検証が不適切である
問題があるため、リモートの攻撃者により、サービス拒否攻撃を可能と
する脆弱性が存在します。(CVE-2026-2229)
- @isaacs/brace-expansion のブレース展開処理には、範囲指定や
組み合わせ数に制限を設けていない問題があるため、リモートの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-25547)
- minimatch には、正規表現の不備に起因して意図せずリソースを消費
してしまう問題があるため、リモートの攻撃者により、多数の連続した
ワイルドカード文字 (*) などを含むように細工された正規表現の入力を
介して、正規表現サービス拒否攻撃 (CPU リソース枯渇) を可能とする
脆弱性が存在します。(CVE-2026-26996)
- nghttp2 には、内部状態の検証処理が不十分である問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2026-27135)
- minimatch の extglob 拡張の実装には、意図せずリソースを消費して
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-27904)
Modularity name: nodejs
Stream name: 22
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-1525
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
CVE-2026-1526
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
CVE-2026-1528
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVE-2026-2229
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
CVE-2026-25547
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
CVE-2026-26996
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
CVE-2026-27904
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1140+2aa648f7.src.rpm
MD5: e5bfef1c3439e05182ee2ad07de0ecad
SHA-256: d90674951a7bd4946bc8c1de91974b8da6b6b61e1789d783b21f6da8ec514041
Size: 339.27 kB - nodejs-packaging-2021.06-6.module+el9+1140+2aa648f7.src.rpm
MD5: 02294e0c8018eec33c7c2a9d43c286b6
SHA-256: 3e59931181220c08e1ae85d8ac964f15459ffc51239aacc2ab2c5c3e6f69bc2d
Size: 25.41 kB - nodejs-22.22.2-1.module+el9+1140+2aa648f7.src.rpm
MD5: 4a73972daa9532b5927fece6ef7c71dd
SHA-256: a8a4168b69f5f73b7752917cf28d258dd39d7e6328c1e5bd9c6232da978c899e
Size: 91.83 MB
Asianux Server 9 for x86_64
- nodejs-22.22.2-1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: 396f128651a8b9abdbf69e42625a3284
SHA-256: 4c9e12e2ebf0c3849981e2a70ba5288b1ef8c34137ba023e9ae7eff81212a7a5
Size: 2.17 MB - nodejs-debugsource-22.22.2-1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: 75734bfc6d282dd65e4a058786566551
SHA-256: fa18d62a5b6d4e4493c4edd573633825dc605424a0463d8bae98bcb1d50fe800
Size: 18.02 MB - nodejs-devel-22.22.2-1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: 70c6b9a3b8f686f35901072a8558f75e
SHA-256: bd2a566672c1de5b36be59a0c5e9a508830287c83bcd9be3774a1452cf4298a3
Size: 276.27 kB - nodejs-docs-22.22.2-1.module+el9+1140+2aa648f7.noarch.rpm
MD5: 24ab9c4715c737ca5184f08760f18709
SHA-256: bd493e28c139b9ac09df821ff0939876f0d219c3c49299abe48abf7f788e1fe7
Size: 9.24 MB - nodejs-full-i18n-22.22.2-1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: 5e4167198768cfdc0dea43042b87e77b
SHA-256: d6c3b8b98e2c962358ea61445ee6ac688a10e3be786ea8791463dd9fe27bcb60
Size: 8.87 MB - nodejs-libs-22.22.2-1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: f40630668d90078d640744b8958a95a8
SHA-256: d3d60b7ab3af523a00438c06352f9987504ef46a1d9664d796c5a69709e62b82
Size: 20.51 MB - nodejs-nodemon-3.0.1-1.module+el9+1140+2aa648f7.noarch.rpm
MD5: 1473218ee5ddc4b4c65d25f9c2e852b8
SHA-256: dc6fcbb97e24cbf4b8d0f55c35bb9ef3db3ac0ce420008377e215aad95bb3de6
Size: 332.32 kB - nodejs-packaging-2021.06-6.module+el9+1140+2aa648f7.noarch.rpm
MD5: 1fb99eef18ae277ffd76f168370235cc
SHA-256: 4e8a5094dbed669088e3addf6106cea407d006f37804ec947485b723dbe0f059
Size: 18.66 kB - nodejs-packaging-bundler-2021.06-6.module+el9+1140+2aa648f7.noarch.rpm
MD5: d3dae41f87c9a67f8591bfb74792aaaf
SHA-256: c5b17bccc9bc4395c2c95064c40da0c5e2febaf435921ee79eaf02b0b5b90866
Size: 8.47 kB - npm-10.9.7-1.22.22.2.1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: 01a127f16d375e947783e2389005fe74
SHA-256: d70f963c50badae8eccad2a15663b14499a72caf9864c028be96e63f5b2fccb3
Size: 2.36 MB - v8-12.4-devel-12.4.254.21-1.22.22.2.1.module+el9+1140+2aa648f7.x86_64.rpm
MD5: e773c23e5edac498b349eb5247d6a848
SHA-256: 248f6a047471f3f1def1171fae5b6d523d1df256a1d6c8665356f06b29847d16
Size: 15.22 kB
English