What were you trying to do that didn't work?

Trying to get an advisory about which versions of nodejs in EL9/EL10 are affected by the recently announced NodeJS CVEs

Official announcement:
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Technical explanations:
https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks

What is the impact of this issue to you?

We are seeing diverging interpretations about whether NodeJS versions < 20 are affected or not. If they are we need to know if RH intends to fix, e.g. nodejs 16 (the ursine RPM shipped on CentOS 9 / RHEL 9) or to retire it, and if the modular RPMs will be updated. If NodeJS 16 is affected but the fixes won't be backported to NodeJS 16 we will need to start moving users to a different solution. 

e.g. SUSE claims nodejs < 20 not affected at least by the async_hooks CVE-2025-59466: https://www.suse.com/security/cve/CVE-2025-59466.html

but The Hacker News thinks any version >= 8 is affected
https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html

Please provide the package NVR for which the bug is seen:

nodejs-1:16.20.2-8.el9

nodejs20-1:20.11.0-5.el10

nodejs-1:22.16.0-1.el10

nodejs24-1:24.11.1-1.el10

How reproducible is this bug?: Always

Steps to reproduce

Expected results

Advisory and patched versions available, also detailing what versions will not be patched.

Actual results

Versions of nodejs available are below the patched versions (20.20.0, 22.22.0, 24.13.0, 25.3.0) and there is no advisory. No recent commits in the relevant GitLab repos mentioning these CVEs either