ghcr.io/ubi-micro-dev/ubi9-micro-dev-nodejs-20:latest

With RPM updates as of

Show kernel-headers

ID	Age	Component	Trivy Severity	Grype Severity	Red Hat Severity	ubi-micro-dev Opinion
CVE-2026-24842	48	nodejs npm tar	High	High	Important
CVE-2023-38552	882	nodejs npm	Medium	Medium	Moderate
CVE-2025-59464	56	nodejs npm	Medium	Medium	Moderate
CVE-2025-62408	99	nodejs npm	Medium	Medium	Moderate
CVE-2025-64118	138	nodejs npm	Medium	Medium	Moderate
CVE-2025-64756	120	glob nodejs npm	Medium	High	Important
CVE-2026-2100	39	p11-kit-trust	Medium	Medium	Moderate
CVE-2026-25547	41	nodejs npm	Medium	Medium	Moderate
CVE-2026-26960	28	nodejs npm tar	Medium	High	Moderate
CVE-2026-26996	27	minimatch nodejs npm	Medium	High	Moderate
CVE-2026-27903	19	minimatch nodejs npm	Medium	High	Moderate
CVE-2026-27904	19	minimatch nodejs npm	Medium	High	Moderate
CVE-2026-31802	7	nodejs npm tar	Medium	High	Moderate
CVE-2022-27943	1452	libgcc libstdc++	Low	Low	Low	False Positive
CVE-2022-41409	973	pcre2 pcre2-syntax	Low	Low	Low	False Positive
CVE-2023-45143	887	nodejs npm	Low	Low	Low
CVE-2023-50495	826	ncurses-libs	Low	Low	Low	False Positive
CVE-2024-13176	421	openssl openssl-libs	Low	Low	Low
CVE-2024-21538	495	cross-spawn nodejs npm	Low	High	Low
CVE-2024-41996	569	openssl openssl-libs	Low	Low	Low
CVE-2025-5889	281	brace-expansion nodejs npm	Low	Low	Low
CVE-2025-9232	168	openssl openssl-libs	Low	Low	Low
CVE-2025-13151	69	libtasn1	Low	Low	Low
CVE-2026-2673	4	openssl openssl-fips-provider openssl-fips-provider-so openssl-libs	Low	Low	Low
CVE-2026-27171	28	zlib	Low	Low	Low
CVE-2026-29786	13	tar		High	Important
CVE-2026-23950	56	tar		High	Important
CVE-2026-23745	60	tar		High	Important
CVE-2026-24001	62	diff		Low	Important

Security Advisory: CVE-2026-27903

Description:

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.

Locations:

/usr/lib/node_modules/npm/node_modules/minimatch/package.json
nodejs-1:20.20.0-1.module+el9.7.0+23895+0637d423
npm-1:10.8.2-1.20.20.0.1.module+el9.7.0+23895+0637d423

References:

Security Advisory: CVE-2025-9232

Description:

Issue summary: An application using the OpenSSL HTTP client API functions may
trigger an out-of-bounds read if the 'no_proxy' environment variable is set and
the host portion of the authority component of the HTTP URL is an IPv6 address.
Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application.
The OpenSSL HTTP client API functions can be used directly by applications
but they are also used by the OCSP client functions and CMP (Certificate
Management Protocol) client implementation in OpenSSL. However the URLs used
by these implementations are unlikely to be controlled by an attacker.
In this vulnerable code the out of bounds read can only trigger a crash.
Furthermore the vulnerability requires an attacker-controlled URL to be
passed from an application to the OpenSSL function and the user has to have
a 'no_proxy' environment variable set. For the aforementioned reasons the
issue was assessed as Low severity.
The vulnerable code was introduced in the following patch releases:
3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.
The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue, as the HTTP client implementation is outside the OpenSSL FIPS module
boundary.

Locations:

openssl-1:3.5.1-7.el9_7
openssl-libs-1:3.5.1-7.el9_7

References:

Security Advisory: CVE-2026-23950

Description:

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Locations:

/usr/lib/node_modules/npm/node_modules/tar/package.json

References:

Security Advisory: CVE-2026-24001

Description:

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.

Locations:

/usr/lib/node_modules/npm/node_modules/diff/package.json