nodejs:20 security update
エラータID: AXSA:2026-452:01
リリース日:
2026/04/19 Sunday - 11:30
題名:
nodejs:20 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の HTTP リクエストのハンドリング処理には、"__proto__"
という名前のヘッダーの扱いが不適切である問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-21710)
- minimatch には、正規表現の不備に起因して意図せずリソースを消費
してしまう問題があるため、リモートの攻撃者により、多数の連続した
ワイルドカード文字 (*) などを含むように細工された正規表現の入力を
介して、正規表現サービス拒否攻撃 (CPU リソース枯渇) を可能とする
脆弱性が存在します。(CVE-2026-26996)
- nghttp2 には、内部状態の検証処理が不十分である問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2026-27135)
- minimatch の extglob 拡張の実装には、意図せずリソースを消費して
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-27904)
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVE-2026-26996
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
CVE-2026-27904
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1142+b810beae.src.rpm
MD5: 9a96c376295b881e4ac8704ac159fcad
SHA-256: 7937336e6220cda6b93ff33c3f215b21de94f21889f229241752dd858450e07a
Size: 339.27 kB - nodejs-packaging-2021.06-6.module+el9+1142+b810beae.src.rpm
MD5: 72a386b8948c938349361958e158a4b3
SHA-256: cd0bca67f3655ee876bcdb67ad5421a2dcc9e1be62ad8b7ba4ccfd40a55f7a4f
Size: 25.41 kB - nodejs-20.20.2-1.module+el9+1142+b810beae.src.rpm
MD5: 9781afb73d964005ee35f47c05fe48a1
SHA-256: f7e0296c7963587d40de7df4778cdb5cda1e69076c2811a24bb4f6380958b860
Size: 83.84 MB
Asianux Server 9 for x86_64
- nodejs-20.20.2-1.module+el9+1142+b810beae.x86_64.rpm
MD5: e1e10ba9fd6783d58f90f3de00cafca5
SHA-256: e21ea202dab1053ae8ca3dcd39c3f841dd58e69850451182c366931507da0f82
Size: 14.12 MB - nodejs-debugsource-20.20.2-1.module+el9+1142+b810beae.x86_64.rpm
MD5: 5d5a6bbf30985e8be83aaa6b93cdbf5d
SHA-256: f400d52f75f44248f5696e991c7a9509770e6f9a673178ba9fca85125a0a956a
Size: 12.73 MB - nodejs-devel-20.20.2-1.module+el9+1142+b810beae.x86_64.rpm
MD5: 48e3cdd5b7eccd2bc98669eda8835d40
SHA-256: 7ef1646107724a17d08e4fc23ffa1c7965ff5ae05a3971784d793812c7bb393c
Size: 258.88 kB - nodejs-docs-20.20.2-1.module+el9+1142+b810beae.noarch.rpm
MD5: 351474012c2765241ae99d24a6da267c
SHA-256: 2bf6b13037462b0e7c0d2fe5a333e21ae6130c6a223b34043e81a52812ce40aa
Size: 8.62 MB - nodejs-full-i18n-20.20.2-1.module+el9+1142+b810beae.x86_64.rpm
MD5: f3f597a400947a09ce82334bb0aa3d9f
SHA-256: b9c86f0f66b82ef3b64658701131d315d910bd85b98e74d53c63445725ef95af
Size: 8.87 MB - nodejs-nodemon-3.0.1-1.module+el9+1142+b810beae.noarch.rpm
MD5: 287c278e2039e9f8f77e8f92b457b340
SHA-256: df829e1342caa4249ff54a7f9efa1996ea944f92f659fa832cd2b65e4948be01
Size: 332.23 kB - nodejs-packaging-2021.06-6.module+el9+1142+b810beae.noarch.rpm
MD5: 94fa328b4bb71242a060f23cfb75ef34
SHA-256: ada003cb95b571237175fbf20ddcc45faace0202cf2eb6607ffed64b1030d715
Size: 18.66 kB - nodejs-packaging-bundler-2021.06-6.module+el9+1142+b810beae.noarch.rpm
MD5: 862afae572266307fd765c0fb68cfdae
SHA-256: 84af3826934ce4df8b12e1a102240aa1d9c268c7b0a884337123a3ebcb425e3d
Size: 8.47 kB - npm-10.8.2-1.20.20.2.1.module+el9+1142+b810beae.x86_64.rpm
MD5: db3311b4124354d4572237b1e5e388f0
SHA-256: 220255f291c730cd5086e4d2885287929e9130a5c33ecdb6ade0c1826bdd3942
Size: 2.22 MB
English