An update for nodejs is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1952 Final 1.0 1.0 2026-04-17 Initial 2026-04-17 2026-04-17 openEuler SA Tool V1.0 2026-04-17 nodejs security update An update for nodejs is now available for openEuler-24.03-LTS-SP3 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. Security Fix(es): A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**(CVE-2026-21710) A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.(CVE-2026-21713) A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.(CVE-2026-21714) A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.(CVE-2026-21715) An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.(CVE-2026-21716) A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.(CVE-2026-21717) An update for nodejs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High nodejs https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21710 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21713 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21714 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21715 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21716 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21717 https://nvd.nist.gov/vuln/detail/CVE-2026-21710 https://nvd.nist.gov/vuln/detail/CVE-2026-21713 https://nvd.nist.gov/vuln/detail/CVE-2026-21714 https://nvd.nist.gov/vuln/detail/CVE-2026-21715 https://nvd.nist.gov/vuln/detail/CVE-2026-21716 https://nvd.nist.gov/vuln/detail/CVE-2026-21717 openEuler-24.03-LTS-SP3 nodejs-20.18.2-7.oe2403sp3.x86_64.rpm nodejs-debuginfo-20.18.2-7.oe2403sp3.x86_64.rpm nodejs-debugsource-20.18.2-7.oe2403sp3.x86_64.rpm nodejs-devel-20.18.2-7.oe2403sp3.x86_64.rpm nodejs-full-i18n-20.18.2-7.oe2403sp3.x86_64.rpm nodejs-libs-20.18.2-7.oe2403sp3.x86_64.rpm npm-10.8.2-1.20.18.2.7.oe2403sp3.x86_64.rpm v8-devel-11.3.244.8-1.20.18.2.7.oe2403sp3.x86_64.rpm nodejs-docs-20.18.2-7.oe2403sp3.noarch.rpm nodejs-20.18.2-7.oe2403sp3.aarch64.rpm nodejs-debuginfo-20.18.2-7.oe2403sp3.aarch64.rpm nodejs-debugsource-20.18.2-7.oe2403sp3.aarch64.rpm nodejs-devel-20.18.2-7.oe2403sp3.aarch64.rpm nodejs-full-i18n-20.18.2-7.oe2403sp3.aarch64.rpm nodejs-libs-20.18.2-7.oe2403sp3.aarch64.rpm npm-10.8.2-1.20.18.2.7.oe2403sp3.aarch64.rpm v8-devel-11.3.244.8-1.20.18.2.7.oe2403sp3.aarch64.rpm nodejs-20.18.2-7.oe2403sp3.src.rpm A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x** 2026-04-17 CVE-2026-21710 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H nodejs security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952 A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. 2026-04-17 CVE-2026-21713 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N nodejs security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952 A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25. 2026-04-17 CVE-2026-21714 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L nodejs security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952 A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted. 2026-04-17 CVE-2026-21715 openEuler-24.03-LTS-SP3 Low 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N nodejs security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952 An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted. 2026-04-17 CVE-2026-21716 openEuler-24.03-LTS-SP3 Low 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N nodejs security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952 A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. 2026-04-17 CVE-2026-21717 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H nodejs security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1952