77 matches found
Tuesday, January 21, 2025 Security Releases
Tuesday, January 21, 2025 Security Releases Security releases available Updates are now available for the 23.x, 22.x, 20.x, 18.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: undici v7.2.3, v6.21....
Wednesday, April 3, 2024 Security Releases
Wednesday, April 3, 2024 Security Releases Security releases available Updates are now available for the v18.x, v20.x and 21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: llhttp version 9.2.1 on...
February 2019 Security Releases
February 2019 Security Releases Update 28-February-2018 Security releases available Summary Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for ...
DOS security vulnerability, October 2017
DOS security vulnerability, October 2017 Update 24-October-2017 Releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. We recommend that all users upgrade as soon as possible...
Wednesday, April 10, 2024 Security Releases
Wednesday, April 10, 2024 Security Releases Security releases available Updates are now available for the 18.x, 20.x, 21.x Node.js release lines for the following issues. Command injection via args parameter of childprocess.spawn without shell option enabled on Windows CVE-2024-27980 - HIGH Due t...
OpenSSL updates, 1.0.1t and 1.0.2h
OpenSSL updates, 1.0.1t and 1.0.2h Update 6-May-2016 New Node.js Releases The following releases have been made available to include the security updates to OpenSSL discussed in the post below. Please upgrade your Node.js installation as soon as possible in order to be protected against the...
OpenSSL upgrade low-severity Node.js security fixes
OpenSSL upgrade low-severity Node.js security fixes Updates to this post, including a schedule change are included below Summary The Node.js project will be releasing new versions across all of its active release lines early next week possibly sooner, pending full impact assessment to incorporate...
Path validation vulnerability, September 2017
Path validation vulnerability, September 2017 Path Validation Vulnerability Updated 29-September-2017 - CVE assigned The Node.js project released a new version of 8.x this week which incorporates a security fix. Impact Version 8.5.0 of Node.js is vulnerable. 4.x and 6.x versions are NOT vulnerabl...
Security updates for all active release lines, July 2017
Security updates for all active release lines, July 2017 Update 10-August-2017 Snapshots Re-enabled on 8.3.0 The vulnerability has been patched upstream and snapshots have been re-enabled in 8.3.0 Expect a backport and update with the next release of 6.x Download Node.js v8 Current Update...
OpenSSL updates, 1.0.2g and 1.0.1s
OpenSSL updates, 1.0.2g and 1.0.1s Updates to this post, including a schedule change are included below The OpenSSL project has announced that they will be releasing versions 1.0.2g and 1.0.1s this week, on Tuesday the 1st of March, UTC. The releases will fix "several defects" that are labelled a...
Wednesday, May 14, 2025 Security Releases
Wednesday, May 14, 2025 Security Releases Security releases available Updates are now available for the 24.x, 23.x, 22.x, 20.x Node.js release lines for the following issues. Improper error handling in async cryptographic operations crashes process CVE-2025-23166 - high The C++ method...
Node.js March 17th Infrastructure Incident Post-mortem
Node.js March 17th Infrastructure Incident Post-mortem By Matt Cowley, Claudio Wunder, Mar 23, 2023 The Incident Starting on March 15th and going through to March 17th with much of the issue being mitigated on the 16th, users were receiving intermittent 404 responses when trying to download Node....
Tuesday, January 13, 2026 Security Releases
Tuesday, January 13, 2026 Security Releases Security releases available Updates are now available for the 25.x, 24.x, 22.x, and 20.x Node.js release lines to address: 3 high severity issues. 4 medium severity issues. 1 low severity issue. This security release includes the following dependency...
OpenSSL security releases may require Node.js security releases
OpenSSL security releases may require Node.js security releases Summary The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced...
OpenSSL security releases do not require Node.js security releases
OpenSSL security releases do not require Node.js security releases Update The OpenSSL project has released a description of the issue fixed in the OpenSSL 1.1.1g update. It only affects a function which is not called by Node.js or its dependencies, and as such, does not affect Node.js. No Node.js...
Updates on CVE for End-of-Life Versions
Updates on CVE for End-of-Life Versions Update on the issuance of CVEs to mark End-of-Life Node.js Versions TL;DR: CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to tag EOL versions have been rejected by the CVE Program. The Node.js team has, therefore, decided to update previous...
npm security updates v2.15.1 and v3.8.3
npm security updates v2.15.1 and v3.8.3 This announcement is also covered on the npm blog:http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability. The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interfac...
Tuesday, July 15, 2025 Security Releases
Tuesday, July 15, 2025 Security Releases Security releases available Updates are now available for the 24.x, 22.x, 20.x Node.js release lines for the following issues. Windows Device Names CON, PRN, AUX Bypass Path Traversal Protection in path.normalize CVE-2025-27210 - high An incomplete fix has...
Meltdown and Spectre - Impact On Node.js
Meltdown and Spectre - Impact On Node.js Summary Project zero has recently announced some new attacks that have received a lot of attention: https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html. The risk from these attacks to systems running Node.js resides in th...
Upcoming CVE for End-of-Life Node.js Versions
Upcoming CVE for End-of-Life Node.js Versions The Node.js Project is committed to ensuring the security and reliability of applications built on Node.js. As part of this commitment, we regularly review measures to help our users stay informed about security risks. Announcement We will soon issue ...
HTTP Server Security Vulnerability: Please upgrade to 0.6.17
HTTP Server Security Vulnerability: Please upgrade to 0.6.17 tl;dr A carefully crafted attack request can cause the contents of the HTTP parser's buffer to be appended to the attacking request's header, making it appear to come from the attacker. Since it is generally safe to echo back contents o...
OpenSSL Security Advisory Assessment, January 2026
OpenSSL Security Advisory Assessment, January 2026 Summary The OpenSSL project released a security advisory that includes 12 CVEs. After assessment, we have concluded that three CVEs affect Node.js severity Low to Moderate. Given the limited attack surface, the OpenSSL updates will be included in...
Node.js Test CI Security Incident
Node.js Test CI Security Incident Update 23-April-2025 Node.js Test CI Security Incident – Full Disclosure Summary On March 21, 2025, we received a security report via HackerOne link restricted at time of writing, detailing a successful compromise of several Node.js test CI hosts. According to th...
December 2019 Security Releases
December 2019 Security Releases Update 18-December-2019 Releases available These releases update npm to v6.13.4 to address three vulnerabilities described below. All current release lines were affected. At this time, CVEs have been requested by npm, Inc. and are pending review. See...
Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users
Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users TL;DR Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability. An edg...
Tuesday, March 24, 2026 Security Releases
Tuesday, March 24, 2026 Security Releases Security releases available Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: undici 6.24.1, 7.24.4 o...
Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8
Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 What happens when a hashing scheme needs to be both HashDoS resistant and quickly reversible? That's the puzzle we tried to solve for addressing CVE-2026-21717 in the March 2026 Node.js security release. This led...