Tuesday, March 24, 2026 Security Releases

Tuesday, March 24, 2026 Security Releases Security releases available Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: undici 6.24.1, 7.24.4 o...

Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8

Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 What happens when a hashing scheme needs to be both HashDoS resistant and quickly reversible? That's the puzzle we tried to solve for addressing CVE-2026-21717 in the March 2026 Node.js security release. This led...

OpenSSL Security Advisory Assessment, January 2026

OpenSSL Security Advisory Assessment, January 2026 Summary The OpenSSL project released a security advisory that includes 12 CVEs. After assessment, we have concluded that three CVEs affect Node.js severity Low to Moderate. Given the limited attack surface, the OpenSSL updates will be included in...

Tuesday, January 13, 2026 Security Releases

Tuesday, January 13, 2026 Security Releases Security releases available Updates are now available for the 25.x, 24.x, 22.x, and 20.x Node.js release lines to address: 3 high severity issues. 4 medium severity issues. 1 low severity issue. This security release includes the following dependency...

Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users

Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users TL;DR Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability. An edg...

Tuesday, July 15, 2025 Security Releases

Tuesday, July 15, 2025 Security Releases Security releases available Updates are now available for the 24.x, 22.x, 20.x Node.js release lines for the following issues. Windows Device Names CON, PRN, AUX Bypass Path Traversal Protection in path.normalize CVE-2025-27210 - high An incomplete fix has...

Wednesday, May 14, 2025 Security Releases

Wednesday, May 14, 2025 Security Releases Security releases available Updates are now available for the 24.x, 23.x, 22.x, 20.x Node.js release lines for the following issues. Improper error handling in async cryptographic operations crashes process CVE-2025-23166 - high The C++ method...

Node.js Test CI Security Incident

Node.js Test CI Security Incident Update 23-April-2025 Node.js Test CI Security Incident – Full Disclosure Summary On March 21, 2025, we received a security report via HackerOne link restricted at time of writing, detailing a successful compromise of several Node.js test CI hosts. According to th...

Updates on CVE for End-of-Life Versions

Updates on CVE for End-of-Life Versions Update on the issuance of CVEs to mark End-of-Life Node.js Versions TL;DR: CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to tag EOL versions have been rejected by the CVE Program. The Node.js team has, therefore, decided to update previous...

Tuesday, January 21, 2025 Security Releases

Tuesday, January 21, 2025 Security Releases Security releases available Updates are now available for the 23.x, 22.x, 20.x, 18.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: undici v7.2.3, v6.21....

Upcoming CVE for End-of-Life Node.js Versions

Upcoming CVE for End-of-Life Node.js Versions The Node.js Project is committed to ensuring the security and reliability of applications built on Node.js. As part of this commitment, we regularly review measures to help our users stay informed about security risks. Announcement We will soon issue ...

Monday, July 8, 2024 Security Releases

Monday, July 8, 2024 Security Releases Security releases available Updates are now available for the 22.x, 20.x, 18.x Node.js release lines for the following issues. Bypass incomplete fix of CVE-2024-27980 CVE-2024-36138 - High The CVE-2024-27980 was identified as an incomplete fix for the...

Wednesday, April 10, 2024 Security Releases

Wednesday, April 10, 2024 Security Releases Security releases available Updates are now available for the 18.x, 20.x, 21.x Node.js release lines for the following issues. Command injection via args parameter of childprocess.spawn without shell option enabled on Windows CVE-2024-27980 - HIGH Due t...

Wednesday, April 3, 2024 Security Releases

Wednesday, April 3, 2024 Security Releases Security releases available Updates are now available for the v18.x, v20.x and 21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: llhttp version 9.2.1 on...

Wednesday February 14 2024 Security Releases

Wednesday February 14 2024 Security Releases Update 14-February-2024 Security releases available Updates are now available for the v18.x, v20.x and v21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public...

OpenSSL Recent Security Patches

OpenSSL Recent Security Patches Summary For the vulnerabilities disclosed in the OpenSSL Security Advisories of: OpenSSL 3.0.11 - Tuesday 19th September 2023 OpenSSL 3.0.12 - Tuesday 24th October 2023 Node.js Windows is affected by one vulnerability rated as LOW. Therefore, these patches will be...

Friday October 13 2023 Security Releases

Friday October 13 2023 Security Releases Update 13-October-2023 Security releases available Updates are now available for the v18.x and v20.x Node.js release lines for the following issues. undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch Low - CVE-2023-45143 Undic...

Wednesday August 9th 2023 Security Releases

Wednesday August 9th 2023 Security Releases Update 09-August-2023 Security releases available Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues. Permissions policies can be bypassed via Module.load HIGHCVE-2023-32002 The use of Module.load ca...

Tuesday June 20 2023 Security Releases

Tuesday June 20 2023 Security Releases Update 20-June-2023 Security releases available Updates are now available for all supported Node.js release lines for the following issues. OpenSSL Security updates This security release includes the following OpenSSL security updates OpenSSL security adviso...

Node.js March 17th Infrastructure Incident Post-mortem

Node.js March 17th Infrastructure Incident Post-mortem By Matt Cowley, Claudio Wunder, Mar 23, 2023 The Incident Starting on March 15th and going through to March 17th with much of the issue being mitigated on the 16th, users were receiving intermittent 404 responses when trying to download Node....

Thursday February 16 2023 Security Releases

Thursday February 16 2023 Security Releases Update 16-February-2023 Security releases available Updates are now available for the v19.x, v18.x, v16.x, and v14.x Node.js release lines for the following issues. OpenSSL Security updates This security release includes OpenSSL security updates as...

Node v18.13.0 (LTS)

Node v18.13.0 LTS By Danielle Adams, Jan 06, 2023 Notable changes Add support for externally shared js builtins By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing...

OpenSSL 3.0.7 update assessment

OpenSSL 3.0.7 update assessment Summary The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines. Analysis Our assessment of the security advisory is: X.509 Policy Constraints Double Locking CVE-2022-3996 Node.js doesn't call OpenSSL as a...

Nov 3 2022 Security Releases

Nov 3 2022 Security Releases Update 04-November-2022 Security releases available Updates are now available for v14,x, v16.x, v18.x and v19.x Node.js release lines for the following issues. X.509 Email Address 4-byte Buffer Overflow High CVE-2022-3602 A buffer overrun can be triggered in X.509...

OpenSSL November Security Release

OpenSSL November Security Release Summary The Node.js project may be releasing new versions across all of its supported release lines in the first week of November to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced will release...

OpenSSL and zlib update assessment, and Node.js Assessment workflow

OpenSSL and zlib update assessment, and Node.js Assessment workflow Summary The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability CVE-2022-37434 patched on the zlib Security release of Oct 13 2022, does...

September 23rd 2022 Security Releases

September 23rd 2022 Security Releases Update 26-September-2022 Security releases available Recommendation update regarding CVE-2022-35255: Roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey. Re-evaluate the confidentiality of data encrypted with those keys. Update...

July 7th 2022 Security Releases

July 7th 2022 Security Releases Update 07-July-2022 Security releases available Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues. HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding MediumCVE-2022-32213 The llhttp parser in the http...

OpenSSL update assessment, and Node.js project plans

OpenSSL update assessment, and Node.js project plans By Rafael Gonzaga, Jun 21, 2022 Summary The vulnerabilities in the OpenSSL Security releases of Jun 21 2022 do not affect any active Node.js release lines. Analysis Our assessment of the security advisory is: The crehash script allows command...

OpenSSL update assessment, and Node.js project plans

OpenSSL update assessment, and Node.js project plans Summary The vulnerabilities in the OpenSSL Security releases of Jun 21 2022 do not affect any active Node.js release lines. Analysis Our assessment of the security advisory is: The crehash script allows command injection CVE-2022-2068 Node.js...

OpenSSL update assessment, and Node.js project plans

OpenSSL update assessment, and Node.js project plans Summary The OpenSSL Security releases of May 3 2022 affects Node.js 17.x and 18.x but highest serverity is "Low" Analysis Our assessment of the security advisory is: The crehash script allows command injection CVE-2022-1292 Node.js doesn't use ...

OpenSSL security releases require Node.js security releases

OpenSSL security releases require Node.js security releases Update 18-Mar-2022 Security releases available Updates are now available for v17.x, v16.x, v14.x, and v12.x Node.js release lines to incorporate upstream patches from OpenSSL. Update to OpenSSL 3.0.2n and 1.1.1n, High CVE-2022-0778...

January 10th 2022 Security Releases

January 10th 2022 Security Releases Update 10-Jan-2022 Security releases available Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names MediumCVE-2021-44531 Accepting arbitrary Subject...

October 12th 2021 Security Releases

October 12th 2021 Security Releases Update 12-Oct-2021 Security releases available Updates are now available for the v16.x, v14.x, and v12.x Node.js release lines for the following issues. HTTP Request Smuggling due to spaced in headers MediumCVE-2021-22959 The http parser accepts requests with a...

August 31 2021 Security Releases

August 31 2021 Security Releases Update 6-Dec-2021 Security releases available Updates are now available for v14.x, and v12.x Node.js release lines for the following issues. npm 6 update - node-tar There are vulnerabilities in the node-tar which are related to the initial reports and subsequent...

August 2021 Security Releases

August 2021 Security Releases Update 11-Aug-2021 Security releases available Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issues. cares upgrade - Improper handling of untypical characters in domain names High CVE-2021-22931 Node.js was vulnerable t...

July 2021 Security Releases

July 2021 Security Releases Security releases available Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issue. We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was...

July 2021 Security Releases

July 2021 Security Releases Update 1-Jul-2021 Security releases available Updates are now available for v16.x, v14.x, and v12.x Node.js release lines for the following issues. libuv upgrade - Out of bounds read Medium CVE-2021-22918 Node.js is vulnerable to out-of-bounds read in libuv's...

April 2021 Security Releases

April 2021 Security Releases Update 6-Apr-2021 Security releases available Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues. OpenSSL - CA certificate check bypass with X509VFLAGX509STRICT High CVE-2021-3450 This is a vulnerability in OpenS...

February 2021 Security Releases

February 2021 Security Releases Update 23-Feb-2021 Security releases available Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues. HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Critical CVE-2021-22883 Affected Node.j...

January 2021 Security Releases

January 2021 Security Releases Update 4-Jan-2021 Security releases available Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues. In addition to the vulnerabilities listed below, these releases also include an update to npm in order to resolv...

November 2020 Security Releases

November 2020 Security Releases Update 16-Nov-2020 Security releases available Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues. Denial of Service through DNS request CVE-2020-8277 A Node.js application that allows an attacker to trigger a DNS...

September 2020 Security Releases

September 2020 Security Releases Update 15-Sept-2020 Security releases available Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion High CVE-2020-8201 Affected Node.js versions converted carria...

June 2020 Security Releases

June 2020 Security Releases Update 2-June-2020 Security releases available Updates are now available for all supported Node.js release lines for the following issues. TLS session reuse can lead to host certificate verification bypass High CVE-2020-8172 The 'session' event could be emitted before...

OpenSSL security releases do not require Node.js security releases

OpenSSL security releases do not require Node.js security releases Update The OpenSSL project has released a description of the issue fixed in the OpenSSL 1.1.1g update. It only affects a function which is not called by Node.js or its dependencies, and as such, does not affect Node.js. No Node.js...

February 2020 Security Releases

February 2020 Security Releases Update 6-February-2020 Security releases available Updates are now available for all active Node.js release lines for the following issues. HTTP request smuggling using malformed Transfer-Encoding header Critical CVE-2019-15605 Affected Node.js versions can be...

December 2019 Security Releases

December 2019 Security Releases Update 18-December-2019 Releases available These releases update npm to v6.13.4 to address three vulnerabilities described below. All current release lines were affected. At this time, CVEs have been requested by npm, Inc. and are pending review. See...

OpenSSL security releases do not require Node.js security releases

OpenSSL security releases do not require Node.js security releases Summary The OpenSSL Security releases of September 10th, 2019 do not affect Node.js. Analysis Our assessment of the security advisory is: ECDSA remote timing attack CVE-2019-1547 Not affected. Node supports only named curves for...

OpenSSL security releases may require Node.js security releases

OpenSSL security releases may require Node.js security releases Summary The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced...

August 2019 Security Releases

August 2019 Security Releases Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all...