{"id":"RLSA-2021:5171","summary":"Moderate: nodejs:16 security, bug fix, and enhancement update","details":"Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nThe following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610)\n\nSecurity Fix(es):\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)\n\n* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)\n\n* normalize-url: ReDoS for data URLs (CVE-2021-33502)\n\n* llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)\n\n* llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","modified":"2026-02-05T03:15:12.020813Z","published":"2021-12-15T19:09:29Z","upstream":["CVE-2020-28469","CVE-2020-7788","CVE-2021-22959","CVE-2021-22960","CVE-2021-33502","CVE-2021-3807","CVE-2021-3918"],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2021:5171"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1907444"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1945459"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1964461"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2007557"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2014057"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2014059"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2024702"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/nodejs?distro=rocky-linux-8-5-legacy&epoch=1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:16.13.1-3.module+el8.5.0+721+4c107270"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2021:5171.json"}},{"package":{"name":"nodejs-nodemon","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/nodejs-nodemon?distro=rocky-linux-8-5-legacy&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2.0.15-1.module+el8.5.0+721+4c107270"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2021:5171.json"}},{"package":{"name":"nodejs-packaging","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/nodejs-packaging?distro=rocky-linux-8&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:25-1.module+el8.6.0+1046+80feca58"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2021:5171.json"}},{"package":{"name":"nodejs-packaging","ecosystem":"Rocky Linux:8","purl":"pkg:rpm/rocky-linux/nodejs-packaging?distro=rocky-linux-8-5-legacy&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:25-1.module+el8.5.0+702+221f14e6"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2021:5171.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]}