Red Hat issues Important nodejs:20 security update for RHEL 9.4 EUS

What happened

Red Hat published RHSA-2026:2768 (severity: Important) for the nodejs:20 module on Red Hat Enterprise Linux 9.4 Extended Update Support (EUS). The advisory ships an update to Node.js packages and states it addresses three security issues: Node.js denial of service (CVE-2025-59465), uninitialized memory exposure (CVE-2025-55131), and a file permissions bypass (CVE-2025-55130).

Who is impacted

• Platform teams running RHEL 9.4 EUS that provide the nodejs:20 runtime to internal applications or build pipelines.
• Developers building and deploying services that rely on the distribution-provided Node.js 20 module stream (rather than upstream Node.js binaries/containers).

What to do now

• Prioritize patching systems using the nodejs:20 module on RHEL 9.4 EUS.
• Apply the Red Hat update for nodejs:20 as described in the advisory (updated packages are listed under "Updated Packages").
• After updating, restart Node.js services and any build agents/CI runners that keep long-lived Node.js processes to ensure the patched runtime is in use.

Additional Information

• Advisory ID: RHSA-2026:2768
• Type/Severity: Security Advisory / Important
• Security fixes listed by Red Hat: CVE-2025-59465, CVE-2025-55131, CVE-2025-55130
• Affected product called out by the advisory: Red Hat Enterprise Linux 9.4 Extended Update Support