npm (AlmaLinux:8) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the AlmaLinux:8 package npm, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (110)
CVE-2025-3277 — CVSS 9.8 (critical): An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a…
CVE-2023-39332 — CVSS 9.8 (critical): Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class…
CVE-2024-21896 — CVSS 9.8 (critical): The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path…
CVE-2023-32002 — CVSS 9.8 (critical): The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module…
CVE-2021-3918 — CVSS 9.8 (critical): json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-22931 — CVSS 9.8 (critical): Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input…
CVE-2021-22930 — CVSS 9.8 (critical): Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…
CVE-2026-25547: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is…
CVE-2025-55130 — CVSS 9.1 (critical): A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted…
CVE-2022-35255 — CVSS 9.1 (critical): A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGe…
CVE-2021-43616 — CVSS 9.0 (critical): The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json…
CVE-2023-32006 — CVSS 8.8 (high): The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition…
CVE-2024-21891 — CVSS 8.8 (high): Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with…
CVE-2022-4904 — CVSS 8.6 (high): A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a…
CVE-2025-31498: c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer()…
CVE-2022-21824 — CVSS 8.2 (high): Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the…
CVE-2021-32803 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability…
CVE-2021-32804 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability…
CVE-2021-37701 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code…
CVE-2021-37712 — CVSS 8.2 (high): The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code…
CVE-2024-27983 — CVSS 8.2 (high): An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2…
CVE-2022-32212 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that…
CVE-2022-43548 — CVSS 8.1 (high): A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost…
CVE-2024-21892 — CVSS 7.8 (high): On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running…
CVE-2025-6965 — CVSS 7.7 (high): There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns…
CVE-2025-23083 — CVSS 7.7 (high): With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only…
CVE-2026-27904 — CVSS 7.5 (high): minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7…
CVE-2021-22883 — CVSS 7.5 (high): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an…
CVE-2021-22884 — CVSS 7.5 (high): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”…
CVE-2021-22940 — CVSS 7.5 (high): Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory…
CVE-2021-33502 — CVSS 7.5 (high): The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of…
CVE-2021-35065 — CVSS 7.5 (high): The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular…
CVE-2022-24999 — CVSS 7.5 (high): qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express…
CVE-2022-3517 — CVSS 7.5 (high): A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the…
CVE-2023-23918 — CVSS 7.5 (high): A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the…
CVE-2023-23919 — CVSS 7.5 (high): A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL…
CVE-2023-24807 — CVSS 7.5 (high): Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to…
CVE-2023-30581 — CVSS 7.5 (high): The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the…
CVE-2023-30589 — CVSS 7.5 (high): The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to…
CVE-2023-30590 — CVSS 7.5 (high): The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only…
CVE-2023-32067 — CVSS 7.5 (high): c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker…
CVE-2023-32559 — CVSS 7.5 (high): A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use…
CVE-2023-38552 — CVSS 7.5 (high): When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation…
CVE-2023-39331 — CVSS 7.5 (high): A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability…
CVE-2024-22019 — CVSS 7.5 (high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to…
CVE-2025-23166 — CVSS 7.5 (high): The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background…
CVE-2025-59465 — CVSS 7.5 (high): A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket`…
CVE-2025-59466 — CVSS 7.5 (high): We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when…
CVE-2026-1526 — CVSS 7.5 (high): The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate…
CVE-2026-1528 — CVSS 7.5 (high): ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows…
CVE-2026-21637 — CVSS 7.5 (high): A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or…
CVE-2026-21710 — CVSS 7.5 (high): A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the…
CVE-2026-2229 — CVSS 7.5 (high): ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits…
CVE-2026-26996 — CVSS 7.5 (high): minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are…
CVE-2026-27135 — CVSS 7.5 (high): nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading…
CVE-2021-44531 — CVSS 7.4 (high): Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in…
CVE-2023-46809 — CVSS 7.4 (high): Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched…
CVE-2024-22017 — CVSS 7.3 (high): setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to…
CVE-2020-7788 — CVSS 7.3 (high): This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse…
CVE-2025-55131 — CVSS 7.1 (high): A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module…
CVE-2025-22150 — CVSS 6.8 (medium): Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to…
CVE-2023-23936 — CVSS 6.5 (medium): Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect…
CVE-2022-32214 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP…
CVE-2022-32215 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding…
CVE-2024-21890 — CVSS 6.5 (medium): The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path…
CVE-2022-35256 — CVSS 6.5 (medium): The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may…
CVE-2026-1525 — CVSS 6.5 (medium): Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and…
CVE-2024-22020 — CVSS 6.5 (medium): A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can…
CVE-2024-22025 — CVSS 6.5 (medium): A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the…
CVE-2021-22959 — CVSS 6.5 (medium): The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling…
CVE-2024-27982 — CVSS 6.5 (medium): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to…
CVE-2022-32213 — CVSS 6.5 (medium): The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding…
CVE-2021-22960 — CVSS 6.5 (medium): The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP…
CVE-2024-28863 — CVSS 6.5 (medium): node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation…
CVE-2026-21713 — CVSS 5.9 (medium): A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking…
CVE-2023-31147 — CVSS 5.9 (medium): c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random…
CVE-2026-21717 — CVSS 5.9 (medium): A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially…
CVE-2026-2581 — CVSS 5.9 (medium): This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici…
CVE-2026-21712 — CVSS 5.7 (medium): A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed…
CVE-2021-3672 — CVSS 5.6 (medium): A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to…
CVE-2021-23343 — CVSS 5.3 (medium): All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and…
CVE-2022-33987 — CVSS 5.3 (medium): The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
CVE-2026-21711 — CVSS 5.3 (medium): A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission…
CVE-2025-55132 — CVSS 5.3 (medium): A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process…
CVE-2021-44532 — CVSS 5.3 (medium): Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to…
CVE-2021-44533 — CVSS 5.3 (medium): Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could…
CVE-2026-21714 — CVSS 5.3 (medium): A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow…
CVE-2024-28182 — CVSS 5.3 (medium): nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading…
CVE-2020-28469 — CVSS 5.3 (medium): This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path…
CVE-2022-25881 — CVSS 5.3 (medium): This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent…
CVE-2021-22939 — CVSS 5.3 (medium): If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned…
CVE-2022-25883 — CVSS 5.3 (medium): Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when…
CVE-2023-30588 — CVSS 5.3 (medium): When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs…
CVE-2025-23085 — CVSS 5.3 (medium): A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid…
CVE-2023-39333 — CVSS 5.3 (medium): Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data…
CVE-2026-1527 — CVSS 4.6 (medium): ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences…
CVE-2024-25629 — CVSS 4.4 (medium): c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as…
CVE-2023-23920 — CVSS 4.2 (medium): An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search…
CVE-2023-31130 — CVSS 4.1 (medium): c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in…
CVE-2023-45143 — CVSS 3.9 (low): Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on…
CVE-2023-31124 — CVSS 3.7 (low): c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be…
CVE-2024-36137 — CVSS 3.3 (low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is…
CVE-2026-21716 — CVSS 3.3 (low): An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required…
CVE-2026-21715 — CVSS 3.3 (low): A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks…
CVE-2024-22018 — CVSS 2.9 (low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used…