nodejs:20 security update
エラータID: AXSA:2026-464:01
リリース日:
2026/04/19 Sunday - 15:18
題名:
nodejs:20 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の HTTP リクエストのハンドリング処理には、"__proto__"
という名前のヘッダーの扱いが不適切である問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-21710)
- minimatch には、正規表現の不備に起因して意図せずリソースを消費
してしまう問題があるため、リモートの攻撃者により、多数の連続した
ワイルドカード文字 (*) などを含むように細工された正規表現の入力を
介して、正規表現サービス拒否攻撃 (CPU リソース枯渇) を可能とする
脆弱性が存在します。(CVE-2026-26996)
- nghttp2 には、内部状態の検証処理が不十分である問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2026-27135)
- minimatch の extglob 拡張の実装には、意図せずリソースを消費して
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-27904)
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVE-2026-26996
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
CVE-2026-27904
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1974+32fd0a72.src.rpm
MD5: 7e2c1aca9b5109da958cbc6536ac11d9
SHA-256: 5132c257a5bb75084154c93588e3999d8838a9bc851ec86bca1ac412b137f2ac
Size: 339.85 kB - nodejs-packaging-2021.06-6.module+el8+1974+32fd0a72.src.rpm
MD5: 9670855254946f150cb0d324084b75ba
SHA-256: cc6318b6079b8a8f5fc07088e81fda6aa0aaddb920f1d095a7c8154670a36060
Size: 30.67 kB - nodejs-20.20.2-1.module+el8+1974+32fd0a72.src.rpm
MD5: 49cd75b599d687ca6dd96dac050d9a62
SHA-256: 8205755851537f3e834547fce178af745ab312cd699d549e882e7faadf2c099e
Size: 83.83 MB
Asianux Server 8 for x86_64
- nodejs-20.20.2-1.module+el8+1974+32fd0a72.x86_64.rpm
MD5: 23d907f281022bef23bac7bc22833a14
SHA-256: a9930fb40a5ed500c382449fcf52b694520f26f67eba03161d28d098688fcbea
Size: 14.53 MB - nodejs-debugsource-20.20.2-1.module+el8+1974+32fd0a72.x86_64.rpm
MD5: ef14d1d00b1e39259c56802eae549434
SHA-256: 4c1a8fcf76458ac9b4cb35f0fa64a650c33bc4de3e38ed067f4d63f7af342fac
Size: 11.98 MB - nodejs-devel-20.20.2-1.module+el8+1974+32fd0a72.x86_64.rpm
MD5: 34ae1c1aef3e2f8ef5d99b3e5ec335c7
SHA-256: c169ce56b4c7f4e70716c68c636371a3a29b4ab35bf566d50cdc568a7b440a97
Size: 263.67 kB - nodejs-docs-20.20.2-1.module+el8+1974+32fd0a72.noarch.rpm
MD5: 598730f20e23019c6d7f908320814d41
SHA-256: 2b22db8404838c3ffac0223dca573018ac2dbd2412629e3ce49e4c41fcdd6cd2
Size: 10.96 MB - nodejs-full-i18n-20.20.2-1.module+el8+1974+32fd0a72.x86_64.rpm
MD5: ad5698ada4b6152ee207ac7bf17c23bf
SHA-256: 7566f77f27bacd3111ed2235cf7bf8b5ab0d5f59a5f1454c49e981270bf9b358
Size: 8.61 MB - nodejs-nodemon-3.0.1-1.module+el8+1974+32fd0a72.noarch.rpm
MD5: f073d0e93c5171f2ff26725f176bf88f
SHA-256: d40f35d9dc631a9df4888abc4d113b0bf31250b9e80d84db82803e7360671207
Size: 281.65 kB - nodejs-packaging-2021.06-6.module+el8+1974+32fd0a72.noarch.rpm
MD5: d18afaf5079955826109322d43b532ff
SHA-256: 934bdd1848053b497c38658fe40fb23dfb607134292c2f59a9628c6e9db00b1b
Size: 24.41 kB - nodejs-packaging-bundler-2021.06-6.module+el8+1974+32fd0a72.noarch.rpm
MD5: bf20c6b2a94262db050f53e14986a975
SHA-256: 25e50c1131edac982876850b63dac1230f5d99cd67bd3846f1013489b85da33b
Size: 13.99 kB - npm-10.8.2-1.20.20.2.1.module+el8+1974+32fd0a72.x86_64.rpm
MD5: a762d3de43842d954466c363293d738f
SHA-256: 2e64f19f05ee07a384983198598acce7a5a1a479a0088bd19463846f20ca9ee1
Size: 2.02 MB
English