Lucene search
+L

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1921)

🗓️ 16 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

ALAS2023-2026-1921: undici SameSite parsing flaw and SQLite FTS5 memory corruption and overflow.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-48931
22 Jun 202618:59
attackerkb
ATTACKERKB
CVE-2026-48937
18 Jun 202618:01
attackerkb
ATTACKERKB
CVE-2026-48617
18 Jun 202616:21
attackerkb
ATTACKERKB
CVE-2026-48935
26 Jun 202601:14
attackerkb
ATTACKERKB
CVE-2026-48933
26 Jun 202601:14
attackerkb
ATTACKERKB
CVE-2026-48934
26 Jun 202601:14
attackerkb
ATTACKERKB
CVE-2026-48928
26 Jun 202601:14
attackerkb
ATTACKERKB
CVE-2026-48930
26 Jun 202601:14
attackerkb
ATTACKERKB
CVE-2026-48615
26 Jun 202601:14
attackerkb
ATTACKERKB
CVE-2026-48618
26 Jun 202601:14
attackerkb
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2023 Security Advisory ALAS2023-2026-1921.
##

include('compat.inc');

if (description)
{
  script_id(327401);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/16");

  script_cve_id(
    "CVE-2026-6733",
    "CVE-2026-9679",
    "CVE-2026-11525",
    "CVE-2026-11822",
    "CVE-2026-11824",
    "CVE-2026-12151",
    "CVE-2026-48615",
    "CVE-2026-48617",
    "CVE-2026-48618",
    "CVE-2026-48619",
    "CVE-2026-48928",
    "CVE-2026-48930",
    "CVE-2026-48931",
    "CVE-2026-48933",
    "CVE-2026-48934",
    "CVE-2026-48935",
    "CVE-2026-48937"
  );

  script_name(english:"Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1921)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2023 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1921 advisory.

    When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax,
    or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec
    values are silently mapped to one of the three standard tokens:

    SameSite=NoneOfYourBusiness is parsed as None, the most permissive setting.SameSite=StrictLax is parsed as
    Lax, a downgrade from Strict.Affected applications are those that consume Set-Cookie headers from server
    responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed
    sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's
    SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to
    provide.

    This was introduced in undici 5.15.0 when the cookies feature was added. (CVE-2026-11525)

    SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension
    that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying
    a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in
    fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in
    fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an
    FTS5 MATCH query is executed against the malicious database. (CVE-2026-11822)

    SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search
    extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database
    with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger
    an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH
    query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled
    with SQLITE_ENABLE_FTS5. (CVE-2026-11824)

    The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message
    but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many
    small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively
    causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of
    service.

    Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the
    WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket
    endpoint.

    All releases starting at undici 6.17.0 are affected. (CVE-2026-12151)

    A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error
    messages.

    When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and
    captured by logs, diagnostics, or other error consumers.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48615)

    A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path
    Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under
    affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js
    24**, and **Node.js 26**. (CVE-2026-48617)

    A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls
    wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

    This can lead to confidentiality impact or bypass of the intended security boundary under affected
    configurations.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48618)

    A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could
    lead to an Out of Memory error on the client.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48619)

    A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48928)

    A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority
    rebinding due to c-string truncation in resolver bindings.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48930)

    A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the
    client has sent the request.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48931)

    A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a
    multiple of 2GiB.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48933)

    A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48934)

    A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as
    read-only with e.g. --allow-fs-read.

    This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
    (CVE-2026-48935)

    A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY`
    frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
    (CVE-2026-48937)

    Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An
    attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after
    a request completes. When the client dispatches the next request on that socket, it associates the
    injected response with the new request, causing responses to be delivered to the wrong requests.

    This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection
    reuse. (CVE-2026-6733)

    undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded
    sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 SS5.4 does not
    specify any decoding and browsers do not decode either.

    Applications that parse a Set-Cookie header and then forward the parsed value into a response header
    (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-
    controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the
    application's downstream response, enabling session fixation, open redirect, or cache poisoning.

    Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie,
    getSetCookies) and forward the parsed cookie value into a response header.

    This was introduced in undici 7.0.0 (CVE-2026-9679)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2023/ALAS2023-2026-1921.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-11525.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-11822.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-11824.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12151.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48615.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48617.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48618.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48619.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48928.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48930.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48931.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48933.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48934.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48935.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-48937.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-6733.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-9679.html");
  script_set_attribute(attribute:"solution", value:
"Run 'dnf update nodejs22 --releasever 2023.12.20260706' or
  or 'dnf update --advisory ALAS2023-2026-1921 --releasever 2023.12.20260706' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-48930");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-11824");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/07/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-full-i18n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-libs-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nodejs22-npm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:v8-12.4-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2023");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm2.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "-2023")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2023", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'nodejs22-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-debuginfo-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-debuginfo-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-debugsource-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-debugsource-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-devel-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-devel-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-docs-22.23.1-1.amzn2023.0.1', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-full-i18n-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-full-i18n-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-libs-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-libs-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-libs-debuginfo-22.23.1-1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-libs-debuginfo-22.23.1-1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-npm-10.9.8-1.22.23.1.1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs22-npm-10.9.8-1.22.23.1.1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'v8-12.4-devel-12.4.254.21-1.22.23.1.1.amzn2023.0.1', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'v8-12.4-devel-12.4.254.21-1.22.23.1.1.amzn2023.0.1', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nodejs22 / nodejs22-debuginfo / nodejs22-debugsource / etc");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Jul 2026 00:00Current
7High risk
Vulners AI Score7
CVSS 3.17.8 - 9.8
CVSS 48.5
CVSS 37.7
EPSS0.02806
SSVC
3