Alpine: multiple nodejs packages: security update to 24.14.1-r0

high Tenable Cloud Security Plugin ID 439190

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server
when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks
bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process
termination or silent file descriptor leaks that eventually lead to denial of service. Because these
callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly
trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js
versions where these callbacks throw without being safely wrapped. (CVE-2026-21637)

- A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a
header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs,
`dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called
on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted
by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct`
access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and
v25.x** (CVE-2026-21710)

- A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called
with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js
process. (CVE-2026-21712)

- A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided
signatures, potentially leaking timing information proportional to the number of matching bytes. Under
certain threat models where high-resolution timing measurements are possible, this behavior could be
exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison
primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional
design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. (CVE-2026-21713)

Solution

Update the nodejs library and its related packages to version 24.14.1-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-21637

https://security.alpinelinux.org/vuln/CVE-2026-21710

https://security.alpinelinux.org/vuln/CVE-2026-21712

https://security.alpinelinux.org/vuln/CVE-2026-21713

https://security.alpinelinux.org/vuln/CVE-2026-21714

https://security.alpinelinux.org/vuln/CVE-2026-21715

https://security.alpinelinux.org/vuln/CVE-2026-21716

https://security.alpinelinux.org/vuln/CVE-2026-21717

Plugin Details

Severity: High

ID: 439190

Version: Revision 1.5

Type: Local

Published: 3/25/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

Percentile: 96.49

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-21637

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/13/2026

Reference Information

CVE: CVE-2026-21637, CVE-2026-21710, CVE-2026-21712, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21716, CVE-2026-21717