Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/nodejs@1:16.20.2-1?arch=el9_0
purl pkg:rpm/redhat/nodejs@1:16.20.2-1?arch=el9_0
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.4
Vulnerabilities affecting this package (12)
Vulnerability Summary Fixed by
VCID-38k9-23j3-eqh7
Aliases:
CVE-2023-30581
Multiple vulnerabilities have been discovered in Node.js. There are no reported fixed by versions.
VCID-5vh6-usw6-2qhy
Aliases:
CVE-2022-4904
Improper Input Validation A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. There are no reported fixed by versions.
VCID-9yq7-aba3-c7c3
Aliases:
CVE-2023-32559
Multiple vulnerabilities have been discovered in Node.js. There are no reported fixed by versions.
VCID-dtvs-pgam-qkbp
Aliases:
CVE-2023-23936
GHSA-5r9g-qh6m-jxff
CRLF Injection in Nodejs ‘undici’ via host Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. There are no reported fixed by versions.
VCID-e7u5-356v-jbg7
Aliases:
CVE-2023-30590
Multiple vulnerabilities have been discovered in Node.js. There are no reported fixed by versions.
VCID-hnjv-fp2r-vqfq
Aliases:
CVE-2023-23920
Node.js: insecure loading of ICU data through ICU_DATA environment variable There are no reported fixed by versions.
VCID-kj75-vmwa-gqgq
Aliases:
CVE-2023-32006
Multiple vulnerabilities have been discovered in Node.js. There are no reported fixed by versions.
VCID-m78y-81wr-y3cz
Aliases:
CVE-2022-25881
GHSA-rc47-6667-2j5j
http-cache-semantics vulnerable to Regular Expression Denial of Service http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. There are no reported fixed by versions.
VCID-q75s-43sx-4kbg
Aliases:
CVE-2023-30588
Multiple vulnerabilities have been discovered in Node.js. There are no reported fixed by versions.
VCID-sag8-repb-g3f4
Aliases:
CVE-2023-32002
Multiple vulnerabilities have been discovered in Node.js. There are no reported fixed by versions.
VCID-vh17-44d1-kyf7
Aliases:
CVE-2023-24807
GHSA-r6ch-mqf9-qc9w
Regular Expression Denial of Service in Headers Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods is vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. There are no reported fixed by versions.
VCID-zstw-3wmu-u3c8
Aliases:
CVE-2023-30589
GHSA-cggh-pq45-6h9x
llhttp vulnerable to HTTP request smuggling The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:56:07.849738+00:00 RedHat Importer Affected by VCID-5vh6-usw6-2qhy https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4904.json 38.0.0
2026-04-01T13:55:36.561627+00:00 RedHat Importer Affected by VCID-m78y-81wr-y3cz https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25881.json 38.0.0
2026-04-01T13:55:17.626357+00:00 RedHat Importer Affected by VCID-hnjv-fp2r-vqfq https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23920.json 38.0.0
2026-04-01T13:55:17.538846+00:00 RedHat Importer Affected by VCID-vh17-44d1-kyf7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24807.json 38.0.0
2026-04-01T13:55:17.487607+00:00 RedHat Importer Affected by VCID-dtvs-pgam-qkbp https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23936.json 38.0.0
2026-04-01T13:53:41.277125+00:00 RedHat Importer Affected by VCID-e7u5-356v-jbg7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30590.json 38.0.0
2026-04-01T13:53:41.220662+00:00 RedHat Importer Affected by VCID-zstw-3wmu-u3c8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30589.json 38.0.0
2026-04-01T13:53:41.166308+00:00 RedHat Importer Affected by VCID-q75s-43sx-4kbg https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30588.json 38.0.0
2026-04-01T13:53:40.994656+00:00 RedHat Importer Affected by VCID-38k9-23j3-eqh7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30581.json 38.0.0
2026-04-01T13:53:03.563561+00:00 RedHat Importer Affected by VCID-9yq7-aba3-c7c3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32559.json 38.0.0
2026-04-01T13:53:03.508779+00:00 RedHat Importer Affected by VCID-kj75-vmwa-gqgq https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32006.json 38.0.0
2026-04-01T13:53:03.415687+00:00 RedHat Importer Affected by VCID-sag8-repb-g3f4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32002.json 38.0.0