{
  "schema_version": "1.7.0",
  "id": "MGASA-2026-0257",
  "published": "2026-07-18T05:48:16Z",
  "modified": "2026-07-18T04:13:29Z",
  "summary": "Updated nodejs packages fix security vulnerabilities",
  "details": "lib,test: redact proxy credentials in tunnel errors. (CVE-2026-48615)\npermission: handle process.chdir on writereport. (CVE-2026-48617)\ntls: normalize hostname for server identity checks. (CVE-2026-48618)\nhttp2: cap originSet size to prevent unbounded memory growth.\n(CVE-2026-48619)\ntls: fix case-sensitive SNI context matching. (CVE-2026-48928)\ndns,net: reject hostnames with embedded NUL bytes. (CVE-2026-48930)\nhttp: fix response queue poisoning in http.Agent. (CVE-2026-48931)\ncrypto: guard WebCrypto cipher output length. (CVE-2026-48933)\ntls: bind reusable sessions to authenticated host. (CVE-2026-48934)\npermission: disable FileHandle utimes with permission model.\n(CVE-2026-48935)\ndeps: fix integration issues with the latest nghttp2. (CVE-2026-48937)\n",
  "upstream": [
    "CVE-2026-48615",
    "CVE-2026-48617",
    "CVE-2026-48618",
    "CVE-2026-48619",
    "CVE-2026-48928",
    "CVE-2026-48930",
    "CVE-2026-48931",
    "CVE-2026-48933",
    "CVE-2026-48934",
    "CVE-2026-48935",
    "CVE-2026-48937"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2026-0257.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=35724"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/release/v22.23.0"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "nodejs",
        "purl": "pkg:rpm/mageia/nodejs?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.23.1-2.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "nodejs",
        "purl": "pkg:rpm/mageia/nodejs?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.23.1-2.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}
