MiracleLinux 8 : nodejs:22 (AXSA:2026-432:01)

🗓️ 14 Apr 2026 00:00:00Reported by TenableType

MiracleLinux 8 host with Node.js vulnerabilities per AXSA-2026-432:01, causing denial of service.

Reporter	Title	Published	Views	Family All 991
IBM Security Bulletins	Security Bulletin: A vulnerability in the minimatch package affects IBM® Db2® Big SQL on IBM Cloud Pak for Data.	15 May 202614:43	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.	21 Apr 202618:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs.	1 Apr 202607:22	–	ibm
IBM Security Bulletins	Security Bulletin: DevOps Test Performance contains a potential denial of service (DoS) vulnerability	10 Apr 202613:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to node modules Hono and Undici	30 Mar 202612:20	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses minimatch-3.1.2.tgz which is vulnerable to CVE-2026-26996, CVE-2026-27903, CVE-2026-27904	1 May 202611:55	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Engineering AI hub.	6 May 202608:24	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Bob	2 Jun 202614:29	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	23 Mar 202615:13	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-27903)	20 Mar 202615:48	–	ibm

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/23257
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2026-432:01.
##

include('compat.inc');

if (description)
{
  script_id(306366);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/14");

  script_cve_id(
    "CVE-2026-1525",
    "CVE-2026-1526",
    "CVE-2026-1528",
    "CVE-2026-2229",
    "CVE-2026-21710",
    "CVE-2026-25547",
    "CVE-2026-26996",
    "CVE-2026-27135",
    "CVE-2026-27904"
  );

  script_name(english:"MiracleLinux 8 : nodejs:22 (AXSA:2026-432:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2026-432:01 advisory.

    * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
      * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
      * minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
    (CVE-2026-27904)
      * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate
    decompression (CVE-2026-1526)
      * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter
    (CVE-2026-2229)
      * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers
    (CVE-2026-1525)
      * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
      * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination
    (CVE-2026-27135)
      * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/23257");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-1525");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-25547");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/02/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-full-i18n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-nodemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-packaging");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:nodejs-packaging-bundler");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:npm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:v8-12.4-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:8");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^8([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 8.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var module_ver = get_kb_item('Host/MiracleLinux/appstream/nodejs');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:22');
if ('22' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module nodejs:' + module_ver);

var constraints = {
  'nodejs:22': [
    {
      'release': '8',
      'pkgs': [
        {'reference':'nodejs-22.22.2-1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-debugsource-22.22.2-1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-devel-22.22.2-1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-docs-22.22.2-1.module+el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-full-i18n-22.22.2-1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-libs-22.22.2-1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-nodemon-3.0.1-1.module+el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-packaging-2021.06-6.module+el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'nodejs-packaging-bundler-2021.06-6.module+el8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'npm-10.9.7-1.22.22.2.1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'v8-12.4-devel-12.4.254.21-1.22.22.2.1.module+el8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
      ]
    }
  ]
};

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
var appstreams_found = 0;
var appstream;
var appstream_name;
var appstream_version;
foreach var module (keys(constraints)) {
  appstream = NULL;
  appstream_name = NULL;
  appstream_version = NULL;
  appstream_split = split(module, sep:':', keep:FALSE);
  if (!empty_or_null(appstream_split)) {
    appstream_name = appstream_split[0];
    appstream_version = appstream_split[1];
    if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/MiracleLinux/appstream/' + appstream_name);
  }
  if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
    appstreams_found++;
    foreach var module_array ( constraints[module] ) {
      # Check that the target release is equal to the affected release
      if (!empty_or_null(module_array['release'])){
        if (module_array['release'] != os_release) continue;
      }
      if (!empty_or_null(module_array['sp'])){
        if (module_array['sp'] != os_sp) continue;
      }
      foreach var package_array ( module_array['pkgs'] ) {
        reference = NULL;
        sp = NULL;
        _cpu = NULL;
        el_string = NULL;
        rpm_spec_vers_cmp = NULL;
        epoch = NULL;
        allowmaj = NULL;
        exists_check = NULL;
        cves = NULL;
        if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
        if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
        if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
        if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
        if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
        if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
        if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
        if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
        if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
        if (reference &&
            (!exists_check || rpm_exists(rpm:exists_check)) &&
            rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
      }
    }
  }
}

if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:22');
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-debugsource / nodejs-devel / nodejs-docs / etc');
}

14 Apr 2026 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.5 - 9.8

CVSS 37.5

CVSS 49.2

EPSS0.00175

SSVC