ALAS2023-2026-1484

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1484
Advisory Released Date: 2026-03-25
Advisory Updated Date: 2026-03-25

Severity: Important

References: CVE-2025-5889 CVE-2026-26960 CVE-2026-29786
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component. (CVE-2025-5889)

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8. (CVE-2026-26960)

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. (CVE-2026-29786)

Affected Packages:

nodejs20

Issue Correction:
Run dnf update nodejs20 --releasever 2023.10.20260316 or dnf update --advisory ALAS2023-2026-1484 --releasever 2023.10.20260316 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    v8-11.3-devel-11.3.244.8-1.20.20.1.1.amzn2023.0.2.aarch64
    nodejs20-full-i18n-20.20.1-1.amzn2023.0.2.aarch64
    nodejs20-libs-debuginfo-20.20.1-1.amzn2023.0.2.aarch64
    nodejs20-libs-20.20.1-1.amzn2023.0.2.aarch64
    nodejs20-debuginfo-20.20.1-1.amzn2023.0.2.aarch64
    nodejs20-20.20.1-1.amzn2023.0.2.aarch64
    nodejs20-devel-20.20.1-1.amzn2023.0.2.aarch64
    nodejs20-npm-10.8.2-1.20.20.1.1.amzn2023.0.2.aarch64
    nodejs20-debugsource-20.20.1-1.amzn2023.0.2.aarch64

noarch:
    nodejs20-docs-20.20.1-1.amzn2023.0.2.noarch

src:
    nodejs20-20.20.1-1.amzn2023.0.2.src

x86_64:
    nodejs20-libs-debuginfo-20.20.1-1.amzn2023.0.2.x86_64
    v8-11.3-devel-11.3.244.8-1.20.20.1.1.amzn2023.0.2.x86_64
    nodejs20-full-i18n-20.20.1-1.amzn2023.0.2.x86_64
    nodejs20-debuginfo-20.20.1-1.amzn2023.0.2.x86_64
    nodejs20-20.20.1-1.amzn2023.0.2.x86_64
    nodejs20-devel-20.20.1-1.amzn2023.0.2.x86_64
    nodejs20-libs-20.20.1-1.amzn2023.0.2.x86_64
    nodejs20-npm-10.8.2-1.20.20.1.1.amzn2023.0.2.x86_64
    nodejs20-debugsource-20.20.1-1.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-5889, CVE-2026-26960, CVE-2026-29786

Mitre: CVE-2025-5889, CVE-2026-26960, CVE-2026-29786