Updated nodejs packages fix security vulnerabilities
Publication date: 18 Jul 2026Modification date: 18 Jul 2026
Type: security
Affected Mageia releases : 10 , 9
CVE: CVE-2026-48615 , CVE-2026-48617 , CVE-2026-48618 , CVE-2026-48619 , CVE-2026-48928 , CVE-2026-48930 , CVE-2026-48931 , CVE-2026-48933 , CVE-2026-48934 , CVE-2026-48935 , CVE-2026-48937
Description
lib,test: redact proxy credentials in tunnel errors. (CVE-2026-48615)
permission: handle process.chdir on writereport. (CVE-2026-48617)
tls: normalize hostname for server identity checks. (CVE-2026-48618)
http2: cap originSet size to prevent unbounded memory growth.
(CVE-2026-48619)
tls: fix case-sensitive SNI context matching. (CVE-2026-48928)
dns,net: reject hostnames with embedded NUL bytes. (CVE-2026-48930)
http: fix response queue poisoning in http.Agent. (CVE-2026-48931)
crypto: guard WebCrypto cipher output length. (CVE-2026-48933)
tls: bind reusable sessions to authenticated host. (CVE-2026-48934)
permission: disable FileHandle utimes with permission model.
(CVE-2026-48935)
deps: fix integration issues with the latest nghttp2. (CVE-2026-48937)
References
- https://bugs.mageia.org/show_bug.cgi?id=35724
- https://nodejs.org/en/blog/release/v22.23.0
- https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
- https://www.cve.org/CVERecord?id=CVE-2026-48615
- https://www.cve.org/CVERecord?id=CVE-2026-48617
- https://www.cve.org/CVERecord?id=CVE-2026-48618
- https://www.cve.org/CVERecord?id=CVE-2026-48619
- https://www.cve.org/CVERecord?id=CVE-2026-48928
- https://www.cve.org/CVERecord?id=CVE-2026-48930
- https://www.cve.org/CVERecord?id=CVE-2026-48931
- https://www.cve.org/CVERecord?id=CVE-2026-48933
- https://www.cve.org/CVERecord?id=CVE-2026-48934
- https://www.cve.org/CVERecord?id=CVE-2026-48935
- https://www.cve.org/CVERecord?id=CVE-2026-48937
SRPMS
10/core
- nodejs-22.23.1-2.mga10
9/core
- nodejs-22.23.1-2.mga9