Skip to content
January Security Release is available
Dukungan komersial untuk versi yang telah melewati fase Maintenance LTS tersedia melalui para mitra dalam Program Keberlanjutan Ekosistem OpenJS

Tuesday, January 13, 2026 Security Releases

TNJP

The Node.js Project

Security releases available

Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:

  • 3 high severity issues.
  • 4 medium severity issues.
  • 1 low severity issue.

This security release includes the following dependency updates to address public vulnerabilities:

  • c-ares (1.34.6) on 20.x, 22.x, 24.x, 25.x
  • undici (6.23.0, 7.18.0) on 20.x, 22.x, 24.x, 25.x

Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled (CVE-2025-55131) - (High)

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption.

While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Impact:

  • This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x

Thank you, to Nikita Skovoroda for reporting and fixing this vulnerability.

Bypass File System Permissions using crafted symlinks (CVE-2025-55130) - (High)

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.

Impact:

  • This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Thank you, to natann for reporting this vulnerability and thank you RafaelGSS for fixing it.

Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame (CVE-2025-59465) - (High)

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:

server.on('secureConnection',  => {
  .on('error',  => {
    .();
  });
});
JavaScript

Impact:

  • This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x

Thank you, to dantt for reporting this vulnerability and thank you RafaelGSS for fixing it.

Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers (CVE-2025-59466) - (Medium)

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

Impact:

  • This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x

Thank you, to Andrew MacPherson (AndrewMohawk) for identifying & aaron_vercel for reporting this vulnerability and thank you mcollina for fixing it.

Memory leak that enables remote Denial of Service against applications processing TLS client certificates (CVE-2025-59464) - (Medium)

A memory leak in Node.js’s OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificate(true), each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.

Impact:

  • This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x

Thank you, to giant_anteater for reporting this vulnerability and thank you RafaelGSS for fixing it.

Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) (CVE-2026-21636) - (Medium)

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase.

Impact:

  • The issue affects users of the Node.js permission model on version v25.

Thank you, to mufeedvh for reporting this vulnerability and thank you RafaelGSS for fixing it.

TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak (CVE-2026-21637) - (Medium)

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue.

Impact:

  • This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Thank you, to 0xmaxhax for reporting this vulnerability and thank you mcollina for fixing it.

fs.futimes() Bypasses Read-Only Permission Model (CVE-2025-55132) - (Low)

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions.

Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.

Impact:

  • This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Thank you, to oriotie for reporting this vulnerability and thank you RafaelGSS for fixing it.

Downloads and release details

Summary

The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x releases lines on or shortly after, Monday, December 15, 2025 in order to address:

  • 3 high severity issues.
  • 1 low severity issue.
  • 1 medium severity issue.

Impact

The 25.x release line of Node.js is vulnerable to 3 high severity issues, 1 low severity issue. The 24.x release line of Node.js is vulnerable to 3 high severity issues, 1 low severity issue, 1 medium severity issue. The 22.x release line of Node.js is vulnerable to 3 high severity issues, 1 low severity issue, 1 medium severity issue. The 20.x release line of Node.js is vulnerable to 3 high severity issues, 1 low severity issue, 1 medium severity issue.

It's important to note that End-of-Life versions are always affected when a security release occurs. To ensure your system's security, please use an up-to-date version as outlined in our Release Schedule.

Release timing

Releases will be available on, or shortly after, Monday, December 15, 2025.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

BerikutnyaTuesday, July 15, 2025 Security Releases
Pembaruan Terakhir
13 Jan 2026
Waktu Membaca
6 mnt
Kontribusi
Sunting halaman ini
Daftar isi
  1. Security releases available
  2. Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled (CVE-2025-55131) - (High)
  3. Bypass File System Permissions using crafted symlinks (CVE-2025-55130) - (High)
  4. Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame (CVE-2025-59465) - (High)
  5. Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers (CVE-2025-59466) - (Medium)
  6. Memory leak that enables remote Denial of Service against applications processing TLS client certificates (CVE-2025-59464) - (Medium)
  7. Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) (CVE-2026-21636) - (Medium)
  8. TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak (CVE-2026-21637) - (Medium)
  9. fs.futimes() Bypasses Read-Only Permission Model (CVE-2025-55132) - (Low)
  10. Downloads and release details
  11. Impact
  12. Release timing
  13. Contact and future updates