{"id":"RHSA-2026:7123","summary":"Red Hat Security Advisory: nodejs:22 security update","modified":"2026-04-10T10:09:00Z","published":"2026-04-09T10:11:55Z","upstream":["CVE-2026-1525","CVE-2026-1526","CVE-2026-1528","CVE-2026-21710","CVE-2026-2229","CVE-2026-25547","CVE-2026-26996","CVE-2026-27135","CVE-2026-27904"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:7123"},{"type":"ARTICLE","url":"https://access.redhat.com/security/updates/classification/#important"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436942"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441268"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442922"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447142"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447143"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447144"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447145"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448754"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453151"},{"type":"ARTICLE","url":"https://issues.redhat.com/browse/RHEL-154019"},{"type":"ADVISORY","url":"https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7123.json"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1525"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1525"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1525"},{"type":"ARTICLE","url":"https://cna.openjsf.org/security-advisories.html"},{"type":"ARTICLE","url":"https://cwe.mitre.org/data/definitions/444.html"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3556037"},{"type":"ARTICLE","url":"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1526"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1526"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1526"},{"type":"ARTICLE","url":"https://datatracker.ietf.org/doc/html/rfc7692"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3481206"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1528"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1528"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1528"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3537648"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-2229"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-2229"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2229"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3487486"},{"type":"ARTICLE","url":"https://nodejs.org/api/zlib.html#class-zlibinflateraw"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21710"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21710"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21710"},{"type":"ARTICLE","url":"https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-25547"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-25547"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25547"},{"type":"ARTICLE","url":"https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-26996"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-26996"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26996"},{"type":"ARTICLE","url":"https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5"},{"type":"ARTICLE","url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-27135"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-27135"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27135"},{"type":"ARTICLE","url":"https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1"},{"type":"ARTICLE","url":"https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-27904"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-27904"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27904"},{"type":"ARTICLE","url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-debuginfo","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-debuginfo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-debugsource","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-debugsource"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-devel","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-devel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-docs","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-docs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-full-i18n","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-full-i18n"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-libs","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-libs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-libs-debuginfo","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-libs-debuginfo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:22.22.2-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-nodemon","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-nodemon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.0.1-1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-packaging","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-packaging"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2021.06-6.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"nodejs-packaging-bundler","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/nodejs-packaging-bundler"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2021.06-6.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"npm","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/npm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:10.9.7-1.22.22.2.1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}},{"package":{"name":"v8-12.4-devel","ecosystem":"Red Hat:enterprise_linux:8::appstream","purl":"pkg:rpm/redhat/v8-12.4-devel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3:12.4.254.21-1.22.22.2.1.module+el8.10.0+24148+847b6786"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7123.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}