ALAS2023-2026-1609

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1609
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30

Severity: Medium

References: CVE-2026-25547 CVE-2026-27171 CVE-2026-29786
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. (CVE-2026-25547)

A flaw was found in zlib. An attacker providing specially crafted input to the crc32_combine64 or crc32_combine_gen64 functions could trigger an infinite loop within the x2nmodp function. This leads to excessive CPU consumption, which can result in a Denial of Service (DoS) for the affected system. (CVE-2026-27171)

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. (CVE-2026-29786)

Affected Packages:

nodejs24

Issue Correction:
Run dnf update nodejs24 --releasever 2023.11.20260427 or dnf update --advisory ALAS2023-2026-1609 --releasever 2023.11.20260427 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    nodejs24-libs-debuginfo-24.15.0-1.amzn2023.0.1.aarch64
    nodejs24-debuginfo-24.15.0-1.amzn2023.0.1.aarch64
    nodejs24-full-i18n-24.15.0-1.amzn2023.0.1.aarch64
    v8-13.6-devel-13.6.233.17-1.24.15.0.1.amzn2023.0.1.aarch64
    nodejs24-devel-24.15.0-1.amzn2023.0.1.aarch64
    nodejs24-24.15.0-1.amzn2023.0.1.aarch64
    nodejs24-libs-24.15.0-1.amzn2023.0.1.aarch64
    nodejs24-debugsource-24.15.0-1.amzn2023.0.1.aarch64

noarch:
    nodejs24-docs-24.15.0-1.amzn2023.0.1.noarch
    nodejs24-npm-11.12.1-1.24.15.0.1.amzn2023.0.1.noarch

src:
    nodejs24-24.15.0-1.amzn2023.0.1.src

x86_64:
    nodejs24-libs-debuginfo-24.15.0-1.amzn2023.0.1.x86_64
    nodejs24-full-i18n-24.15.0-1.amzn2023.0.1.x86_64
    nodejs24-devel-24.15.0-1.amzn2023.0.1.x86_64
    nodejs24-debuginfo-24.15.0-1.amzn2023.0.1.x86_64
    nodejs24-libs-24.15.0-1.amzn2023.0.1.x86_64
    nodejs24-24.15.0-1.amzn2023.0.1.x86_64
    v8-13.6-devel-13.6.233.17-1.24.15.0.1.amzn2023.0.1.x86_64
    nodejs24-debugsource-24.15.0-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-25547, CVE-2026-27171, CVE-2026-29786

Mitre: CVE-2026-25547, CVE-2026-27171, CVE-2026-29786