nodejs24-docs (AlmaLinux:10) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the AlmaLinux:10 package nodejs24-docs, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (23)
CVE-2026-25547: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is…
CVE-2025-55130 — CVSS 9.1 (critical): A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted…
CVE-2025-59466 — CVSS 7.5 (high): We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when…
CVE-2026-27135 — CVSS 7.5 (high): nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading…
CVE-2025-59465 — CVSS 7.5 (high): A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket`…
CVE-2026-1526 — CVSS 7.5 (high): The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate…
CVE-2026-1528 — CVSS 7.5 (high): ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows…
CVE-2026-21637 — CVSS 7.5 (high): A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or…
CVE-2026-21710 — CVSS 7.5 (high): A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the…
CVE-2026-2229 — CVSS 7.5 (high): ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits…
CVE-2026-26996 — CVSS 7.5 (high): minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are…
CVE-2025-55131 — CVSS 7.1 (high): A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module…
CVE-2026-1525 — CVSS 6.5 (medium): Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and…
CVE-2026-2581 — CVSS 5.9 (medium): This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici…
CVE-2026-21713 — CVSS 5.9 (medium): A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking…
CVE-2026-21717 — CVSS 5.9 (medium): A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially…
CVE-2026-21712 — CVSS 5.7 (medium): A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed…
CVE-2026-21714 — CVSS 5.3 (medium): A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…
CVE-2026-21711 — CVSS 5.3 (medium): A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission…
CVE-2025-55132 — CVSS 5.3 (medium): A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…
CVE-2026-1527 — CVSS 4.6 (medium): ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences…
CVE-2026-21716 — CVSS 3.3 (low): An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required…
CVE-2026-21715 — CVSS 3.3 (low): A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks…