RHSA-2023:2655: Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.19.1), nodejs-nodemon (2.0.20).Security Fix(es): c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904) http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881) Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918) Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936) Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920) Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2023:2655?
RHSA-2023:2655 addresses critical vulnerabilities in Node.js that could lead to potential exploitation.
How do I fix RHSA-2023:2655?
To fix RHSA-2023:2655, upgrade the affected packages to the latest versions specified in the advisory.
Which packages are affected by RHSA-2023:2655?
Packages affected by RHSA-2023:2655 include nodejs, nodejs-nodemon, and their associated libraries.
Are there any workarounds for RHSA-2023:2655?
There are no specific workarounds for RHSA-2023:2655; updating the impacted packages is recommended.
When was RHSA-2023:2655 released?
RHSA-2023:2655 was released on the security advisory date indicated on Red Hat's advisory site.