diff --git a/apps/site/pages/en/blog/release/v20.20.2.md b/apps/site/pages/en/blog/release/v20.20.2.md new file mode 100644 index 0000000000000..210b09f55832f --- /dev/null +++ b/apps/site/pages/en/blog/release/v20.20.2.md @@ -0,0 +1,117 @@ +--- +date: '2026-03-24T20:35:47.550Z' +category: release +title: Node.js 20.20.2 (LTS) +layout: blog-post +author: Marco Ippolito +--- + +## 2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +- (CVE-2026-21717) fix array index hash collision (Joyee Cheung) +- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) +- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) +- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) +- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) +- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) +- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) + +### Commits + +- \[[`cfb51fa9ce`](https://github.com/nodejs/node/commit/cfb51fa9ce)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#831](https://github.com/nodejs-private/node-private/pull/831) +- \[[`f333d0be5f`](https://github.com/nodejs/node/commit/f333d0be5f)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +- \[[`2acd5d1226`](https://github.com/nodejs/node/commit/2acd5d1226)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285) +- \[[`af5c144ebc`](https://github.com/nodejs/node/commit/af5c144ebc)] - **(CVE-2026-21717)** **deps,build,test**: fix array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834) +- \[[`00ad47a28e`](https://github.com/nodejs/node/commit/00ad47a28e)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +- \[[`0123309566`](https://github.com/nodejs/node/commit/0123309566)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#840](https://github.com/nodejs-private/node-private/pull/840) +- \[[`00830712bc`](https://github.com/nodejs/node/commit/00830712bc)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#838](https://github.com/nodejs-private/node-private/pull/838) +- \[[`a0c73425da`](https://github.com/nodejs/node/commit/a0c73425da)] - **(CVE-2026-21714)** **src**: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +- \[[`cc3f294507`](https://github.com/nodejs/node/commit/cc3f294507)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#839](https://github.com/nodejs-private/node-private/pull/839) + +Windows 32-bit Installer: https://nodejs.org/dist/v20.20.2/node-v20.20.2-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v20.20.2/node-v20.20.2-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v20.20.2/node-v20.20.2-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v20.20.2/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v20.20.2/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v20.20.2/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v20.20.2/node-v20.20.2.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v20.20.2/node-v20.20.2-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v20.20.2/node-v20.20.2.tar.gz \ +Other release files: https://nodejs.org/dist/v20.20.2/ \ +Documentation: https://nodejs.org/docs/v20.20.2/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +3c60f54069a53ad8ffeef2b0f11e1f88333b12decfed755b26ce3fcb5e2d97e4 node-v20.20.2-aix-ppc64.tar.gz +1473f48d689627ec35eb4147d0f22ee60c694f16719c20a7c129b925c60f3a2f node-v20.20.2-arm64.msi +466e05f3477c20dfb723054dfebffe55bc74660ee77f612166fca121dacb65b6 node-v20.20.2-darwin-arm64.tar.gz +6375a1d4421bc04ab284ba89459df788a78c49c89e83c463d0eede47e2efc07b node-v20.20.2-darwin-arm64.tar.xz +8be6f5e4bb128c82774f8a0b8d7a1cc1365a7977d9657cece0ca647b3fe04e61 node-v20.20.2-darwin-x64.tar.gz +4d4c020eb534497e616de38f3733289ff33c615ddab38c048edec6547b7f76ea node-v20.20.2-darwin-x64.tar.xz +6de0e836efa9f32512e61db3dfd08b3d97a015b7e828d1a5efdf281a56a692d9 node-v20.20.2-headers.tar.gz +46573741c48c20c6bcfc71450e2fc56b4d1156d72c3d6cc9917fa8b1cbc6e836 node-v20.20.2-headers.tar.xz +47ef73d543ecf6eb19435f6c03a0ac4809b3bf0dd6b26c7c571efc2a6572a74d node-v20.20.2-linux-arm64.tar.gz +73093db209e4e9e09dd7d15a47aeaab1b74833830df03efa5f942a1122c5fa71 node-v20.20.2-linux-arm64.tar.xz +8e15f121e721c9354132053188d4c1a18ea9e345c019ee440fb256e3dda7df15 node-v20.20.2-linux-armv7l.tar.gz +f704ce75d9a194c30c378049b516000e49612c2f046ac83c7435eb33ec2926f0 node-v20.20.2-linux-armv7l.tar.xz +5f2fd0e0cd67aeac0db800b334151cae6ea70ea337487b26f79ac90e3fe126e1 node-v20.20.2-linux-ppc64le.tar.gz +4ee91307b3b517f880cd63d3f75fc91f4afc926ad9447661b755d50060ba2816 node-v20.20.2-linux-ppc64le.tar.xz +ee1ca1193e75a6d31b6007c575deca11b116e84a6bda136ae0e0dbe19399889c node-v20.20.2-linux-s390x.tar.gz +00590e7e1295d265fd22706e10467c03ecf170873b76c1835ff74b47b90ce6e0 node-v20.20.2-linux-s390x.tar.xz +19e56f0825510207dd904f087fe52faa0a4eb6b2aab5f0ea7a33830d04888b8b node-v20.20.2-linux-x64.tar.gz +df770b2a6f130ed8627c9782c988fda9669fa23898329a61a871e32f965e007d node-v20.20.2-linux-x64.tar.xz +63be4e81a9248c5a5ff5f4a67efffef6a4eaa976f5c7fb0b93027db36342e9a3 node-v20.20.2.pkg +8cb85a81f75169eb811f7b2512cf17a646826430debbe016a7461f31e286fdef node-v20.20.2.tar.gz +7aeeacdb858299e09a3e0510d4bb8b266923894a9e3ac0058ba89d4ecf4a4cca node-v20.20.2.tar.xz +f066ba3f80363f8e16a2737a945052ea910733f22c93821519f53667614bafd0 node-v20.20.2-win-arm64.7z +d5c5b1d56f7f9469830eb1f57efeec0a6a9078c0a9e88cd5b4b4b48f46c22069 node-v20.20.2-win-arm64.zip +1bbbfd0312335a95e86642c3beef98bb84def4cca85cd879f3da0baca6797422 node-v20.20.2-win-x64.7z +dc3700fdd57a63eedb8fd7e3c7baaa32e6a740a1b904167ff4204bc68ed8bf77 node-v20.20.2-win-x64.zip +4103cb79dba8c0272e309f8b337c2240369fcba5454bf10c2c4b23932a3c6033 node-v20.20.2-win-x86.7z +cd34d5da2f36ebd84ed57252756ee512447db4502d9f9e38ca8dccb511b0b352 node-v20.20.2-win-x86.zip +9a283dcdb771793d6492235e81f3fc80048db8a37497a0af87b0a9f450d10fa6 node-v20.20.2-x64.msi +5bd11635c4d46a14e5f712ffbddf07a8dc01d6e62c5ac1d20cab47b4fd7f5ce0 node-v20.20.2-x86.msi +a6c4adc2ea22256b5d2df57a981f1538d56d44fc845646a8bdbf66740ac1e948 win-arm64/node.exe +deacf784c804e5ab9df886b2de4c7a04d77ee1c722e2e4f1567aac62391ec4c4 win-arm64/node.lib +46512faa28642586c97e61b1a1431bc0a3b2a85e1d63a22794df3b7ebf8d4cfd win-arm64/node_pdb.7z +9a6ba8c56d58883584a27f861c784f203455e9ae4dd882836b16980c95dfa84c win-arm64/node_pdb.zip +56c1520ee33b801e8bdb92fb321cf2e98529735b6d12bd4a2a6dec0ac0bab937 win-x64/node.exe +c4a794e993d9304238523230885e9ec00ca052c73b9558471858eef14916d91f win-x64/node.lib +e190b1166cce167651d3bd544881420e4642ef2dfc643da0023dee9f91f44046 win-x64/node_pdb.7z +656f2062e5cb3057651381d0916ad79b9e2113625572a0745b70bc6844e4196a win-x64/node_pdb.zip +33379026333558256e5f467d80c67ba20f6b8e77e8d3ab72ad4dc005f6e11845 win-x86/node.exe +962e762b899969e773dc1163d53f1dca10a7769d73217b727a94574d2613355b win-x86/node.lib +a1f7bfe7e5536488b9270f1c1ea1d5b259753b7ee89dabf8eaabc59bfc26fb60 win-x86/node_pdb.7z +f9d592b4c57c9749d33570e80f6d63c4aaa2441fb86347c25b81d988c5955889 win-x86/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEEzGj1oxBv9EgyLkjtJ/XjjVsKIV8FAmnC9VIACgkQJ/XjjVsK +IV//Pw//am3VN5wTtH+XMPNIyiFk7yrJPYKFhUPchoYVhKSjmnbdD6zn8F4n5KO6 +t3P5mORXBai0GDBZA219moPX4CpBlVMDWUm87SPndc2nzS0PiGn/9b2vBOYErvel +lGPVaRq6MYE4mTKLIFBoApjJ5mBPPWWnzPOgB0nRw08Uv4rjWS88P4R7qohz2+V0 +L/Szen1f/9F3ev9mGpFXlx4ylNww0ZDu0uJySweZEJE/9s5fq1EkGNQA4zpYpnyU +oqWHcL7ugQI7/2pQbUYk2W8WXTLi8bBuzjmP6mqetXDzltwchjtB8tmZhBqTKtPP +QrS0EcS3POe3hrriuqbm/VarpoRiOgexAG4YuzAMIldcSxNYMteSiP95WvPUfa9i +R7gcZ3KVyOVTtXUTTTqLWQrmzFeDmJNm1Y2n3B+mhKub8PuDwOMbvb77IoV51Azu +NpFSA+QmosLN3G/ydJI4L4JDme9MaYHPRSmBvEMryvpqNWjVoUn8OkHlmgGGreFu +QjyfxBzpYXkxkUHHt68wgIC/odUMxuiBWzLQ3pDlKgnR4bLL/uc+GnzXR6JES71X +NhZAwfLVFTQSBd6oq1ibU1SEObAVe4cIQEezwqT0qy2WFiyikXlgCNRHYtSPtjsf +A5s7j3cE8/naM28vHrt3kLmLIb5Gik5SL+N4Hig18vwKCyk+KkI= +=CXge +-----END PGP SIGNATURE----- +``` diff --git a/apps/site/pages/en/blog/release/v22.22.2.md b/apps/site/pages/en/blog/release/v22.22.2.md new file mode 100644 index 0000000000000..462a66c32c160 --- /dev/null +++ b/apps/site/pages/en/blog/release/v22.22.2.md @@ -0,0 +1,122 @@ +--- +date: '2026-03-24T20:43:26.981Z' +category: release +title: Node.js 22.22.2 (LTS) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95 + +This is a security release. + +### Notable Changes + +- (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High +- (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High +- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium +- (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium +- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +- (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low +- (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low + +### Commits + +- \[[`6f14ee5101`](https://github.com/nodejs/node/commit/6f14ee5101)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +- \[[`52a52ef619`](https://github.com/nodejs/node/commit/52a52ef619)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +- \[[`30a3ab11e2`](https://github.com/nodejs/node/commit/30a3ab11e2)] - **(CVE-2026-21717)** **deps**: V8: cherry-pick aac14dd95e5b (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +- \[[`e3f4d6a42e`](https://github.com/nodejs/node/commit/e3f4d6a42e)] - **(CVE-2026-21717)** **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +- \[[`7dc00fa5f4`](https://github.com/nodejs/node/commit/7dc00fa5f4)] - **(CVE-2026-21717)** **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +- \[[`076acd052d`](https://github.com/nodejs/node/commit/076acd052d)] - **(CVE-2026-21717)** **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +- \[[`963c60a951`](https://github.com/nodejs/node/commit/963c60a951)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +- \[[`a688117d5d`](https://github.com/nodejs/node/commit/a688117d5d)] - **deps**: upgrade npm to 10.9.7 (npm team) [#62330](https://github.com/nodejs/node/pull/62330) +- \[[`859c8c761b`](https://github.com/nodejs/node/commit/859c8c761b)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285) +- \[[`d5ed384a2f`](https://github.com/nodejs/node/commit/d5ed384a2f)] - **deps**: upgrade npm to 10.9.6 (npm team) [#62215](https://github.com/nodejs/node/pull/62215) +- \[[`a2fe9fd81a`](https://github.com/nodejs/node/commit/a2fe9fd81a)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +- \[[`73deff77c1`](https://github.com/nodejs/node/commit/73deff77c1)] - **lib**: backport `_tls_common` and `_tls_wrap` refactors (Dario Piotrowicz) [#57643](https://github.com/nodejs/node/pull/57643) +- \[[`06fc3436f6`](https://github.com/nodejs/node/commit/06fc3436f6)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +- \[[`db48d9c675`](https://github.com/nodejs/node/commit/db48d9c675)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +- \[[`2a6105a63b`](https://github.com/nodejs/node/commit/2a6105a63b)] - **(CVE-2026-21714)** **src**: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +- \[[`91b970886f`](https://github.com/nodejs/node/commit/91b970886f)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + +Windows 32-bit Installer: https://nodejs.org/dist/v22.22.2/node-v22.22.2-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v22.22.2/node-v22.22.2-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v22.22.2/node-v22.22.2-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v22.22.2/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v22.22.2/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v22.22.2/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v22.22.2/node-v22.22.2.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v22.22.2/node-v22.22.2-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v22.22.2/node-v22.22.2.tar.gz \ +Other release files: https://nodejs.org/dist/v22.22.2/ \ +Documentation: https://nodejs.org/docs/v22.22.2/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +31e8cdaf9921589c2978fd224aa5ae51e470577df63435ebfff16b715ed8d4d3 node-v22.22.2-aix-ppc64.tar.gz +1ec02aeb76d716ce15915bed10c0a4dcf9a6224e9a4f4d1645ddca4985a7bc06 node-v22.22.2-arm64.msi +db4b275b83736df67533529a18cc55de2549a8329ace6c7bcc68f8d22d3c9000 node-v22.22.2-darwin-arm64.tar.gz +f8655beb4b86ff6588ed7e02c37f8574b58557bd3e880012814b1a4956fd9d88 node-v22.22.2-darwin-arm64.tar.xz +12a6abb9c2902cf48a21120da13f87fde1ed1b71a13330712949e8db818708ba node-v22.22.2-darwin-x64.tar.gz +b6a384bba1a7ec585e5a91a452b63f676b940584ff57b5c9cf0541c8db60023e node-v22.22.2-darwin-x64.tar.xz +90e5ef0fdf02f88487f904a798836b35bd44896046d502873bc625ac2baeded2 node-v22.22.2-headers.tar.gz +b4dde76c01769ae141de9228cc47dd53853cde2fd94f7d40192273ec79dd405b node-v22.22.2-headers.tar.xz +b2f3a96f31486bfc365192ad65ced14833ad2a3c2e1bcefec4846902f264fa28 node-v22.22.2-linux-arm64.tar.gz +e9e1930fd321a470e29bb68f30318bf58e3ecb4acb4f1533fb19c58328a091fe node-v22.22.2-linux-arm64.tar.xz +465162c9e1821b2168b2740351ae8f191b24b58313f0cf9873a7ccd200a66e12 node-v22.22.2-linux-armv7l.tar.gz +2ebc6746e517f345da340ec76a108203eb6c2365391eb525c0e0dd6135b0b9df node-v22.22.2-linux-armv7l.tar.xz +f661dd525231faf113bd484129169d222b84ef40c091b5dca04a104d43e25d07 node-v22.22.2-linux-ppc64le.tar.gz +14045b5a5030d35ca0030fb7e870bd11a651eb9b57323ebc0021e8d78ac6bac9 node-v22.22.2-linux-ppc64le.tar.xz +4c28684a4c75683c491464f7fa168cd37752ed343fc27fb85b75806517e340cb node-v22.22.2-linux-s390x.tar.gz +9e4a07c291b8949289c6ea8ee61b1d14666a4810feae776a8d1eb1f57e03a2fb node-v22.22.2-linux-s390x.tar.xz +978978a635eef872fa68beae09f0aad0bbbae6757e444da80b570964a97e62a3 node-v22.22.2-linux-x64.tar.gz +88fd1ce767091fd8d4a99fdb2356e98c819f93f3b1f8663853a2dee9b438068a node-v22.22.2-linux-x64.tar.xz +ed1b73ffb642978e669786f9115d2579e890a3f9bf3dcd7c73272047b4895a17 node-v22.22.2-win-arm64.7z +380d375cf650c5a7f2ef3ce29ac6ea9a1c9d2ec8ea8e8391e1a34fd543886ab3 node-v22.22.2-win-arm64.zip +c87622c838f312d1fcc635e09034013e983ebe8df039a62ab46c22b34b9b8a0c node-v22.22.2-win-x64.7z +7c93e9d92bf68c07182b471aa187e35ee6cd08ef0f24ab060dfff605fcc1c57c node-v22.22.2-win-x64.zip +d73718f162d286d1deaf911d8bf224ba823a877cd0ed23c0d09b43923f6bd699 node-v22.22.2-win-x86.7z +ca892f829a733109e341c43585fd2094177e9d2f2c45f97c7ed3cf329d5427c5 node-v22.22.2-win-x86.zip +57456aa33fcd6fb6a9418e09227de0b0ca604f7b2123566acc66b555cb2f42e5 node-v22.22.2-x64.msi +e43cf42f461cbfea23a079925cfdd132a18cf66d4e30f64ec5ab4ec31dbb41f3 node-v22.22.2-x86.msi +ff08ad19678de4ca2af34b58b73b272c555449c6f2d91487ca6fe0a697f9eabe node-v22.22.2.pkg +f4b9606f33aef725a77b6292460102b48b80902571a8bb94cd769837ee0577df node-v22.22.2.tar.gz +b6bedd3a8cacd5df7df015a5088264b12c74a277ba60684cb9642ae8eb743132 node-v22.22.2.tar.xz +1a338f2467a566197ed8b309240a3a372f5d72458f9c7e5c9613ad6ccae1e0c0 win-arm64/node.exe +9b75bbc3be72c84f1d41cd6abb6e5ecc333836015e40a6267ce755554874a13a win-arm64/node.lib +d8439627dd1081c37267c77a79cf7f21c0a7cfd85c582fc3d6361d4b6a720388 win-arm64/node_pdb.7z +76a309aae5afd000b87359a4d26c2392dfc231ef626c1a77ec103452677edad4 win-arm64/node_pdb.zip +ae1a50511be58e987483fdbc12125407443926d2d394669ade2352776e920dd3 win-x64/node.exe +0d8d8bcc11daea60f5dd4da414e72ccb785718345ec8fbec52cfc7d1a2326293 win-x64/node.lib +0431a2383c9ceec6bd46d5d96fec1342c0adf7bd57528312fe4812e32e1d2e5c win-x64/node_pdb.7z +7a5071732adc414638f4a8e06926820410dfd6421badbe0221dfa594ec2a766f win-x64/node_pdb.zip +ed2aff66c21ea111e517b3c8a6857c35d222cc83e12ff66d9c03b61e2e0558e7 win-x86/node.exe +a07e94777fb491c1a59103b6987417df35a1dd0a9682220bba43d3c602b8b414 win-x86/node.lib +0f43bd6b98aa25bc7067cf374de59ec853035778ff4b6ce2fb118dc67f5eaee9 win-x86/node_pdb.7z +ffd472e223a8dbde11867016e51744dadb3e55af8dc3d663fb605a1560a63017 win-x86/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmnC9gcACgkQi+q0389V +XvR1ugwAiiv5SVNLVMJa5ww1CtXHbVX7Kd1vGXw9INsK1iIUrwT4T2lZa+KnztYx +ngwaxIa8h4/x9IS262tRYJUHqcQtRP+J8pD7ahnf+JW5BZN9HQ+C1jEy6TWrH5rt +zQfFUYrRM7jbWPXlDmFecBPpOC48mZyOe8I7UzDjQGY1KYx6HHutUi28bAbPxzi+ +CzcpgsdhD/y/qhQW/DtlmFj4AWh1oFzZZW3C0mNRNgC96FVs61Xp4CXfiPO9vFwY +VjB2JHYkxVx2K1m5O4CcrtEEtg7LBpuzCNke/INnKXdh4UDqSBGXm/oAvl71VLgH +aICjDIKcS4TXmWmaSbPN4y6Lfe30a8CESRolX/5nvzAyQy/pVmmhyi1l15IzAQDu +b/efW5bZn7wJTcNJz64vqXNPE1eKfJES7cAabDkvxnAWQhf9JtZf406QH5c+Ygig +Yo/97a00Pv6/nBJLF4woxYBjG5/2hKxuhkOKQ9QnDqCXW0ACpWHn1aX+Stv5s6Ps +JNKkGS1v +=uiHn +-----END PGP SIGNATURE----- +``` diff --git a/apps/site/pages/en/blog/release/v24.14.1.md b/apps/site/pages/en/blog/release/v24.14.1.md new file mode 100644 index 0000000000000..ea881056d7e1b --- /dev/null +++ b/apps/site/pages/en/blog/release/v24.14.1.md @@ -0,0 +1,112 @@ +--- +date: '2026-03-24T20:43:31.943Z' +category: release +title: Node.js 24.14.1 (LTS) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol + +This is a security release. + +### Notable Changes + +- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High +- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High +- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium +- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium +- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium +- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low +- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low + +### Commits + +- \[[`6fae244080`](https://github.com/nodejs/node/commit/6fae244080)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`cc0910c62e`](https://github.com/nodejs/node/commit/cc0910c62e)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +- \[[`80cb042cf3`](https://github.com/nodejs/node/commit/80cb042cf3)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) +- \[[`f5b8667dc2`](https://github.com/nodejs/node/commit/f5b8667dc2)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) +- \[[`08852637d9`](https://github.com/nodejs/node/commit/08852637d9)] - **deps**: update undici to 7.22.0 (Node.js GitHub Bot) [#62035](https://github.com/nodejs/node/pull/62035) +- \[[`61097db9fb`](https://github.com/nodejs/node/commit/61097db9fb)] - **deps**: upgrade npm to 11.11.0 (npm team) [#61994](https://github.com/nodejs/node/pull/61994) +- \[[`9ac0f9f81e`](https://github.com/nodejs/node/commit/9ac0f9f81e)] - **deps**: upgrade npm to 11.10.1 (npm team) [#61892](https://github.com/nodejs/node/pull/61892) +- \[[`3dab3c4698`](https://github.com/nodejs/node/commit/3dab3c4698)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +- \[[`87521e99d1`](https://github.com/nodejs/node/commit/87521e99d1)] - **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`045013366f`](https://github.com/nodejs/node/commit/045013366f)] - **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`af22629ea8`](https://github.com/nodejs/node/commit/af22629ea8)] - **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`380ea72eef`](https://github.com/nodejs/node/commit/380ea72eef)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +- \[[`d6b6051e08`](https://github.com/nodejs/node/commit/d6b6051e08)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +- \[[`bfdecef9da`](https://github.com/nodejs/node/commit/bfdecef9da)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +- \[[`c015edf313`](https://github.com/nodejs/node/commit/c015edf313)] - **(CVE-2026-21714)** **src**: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +- \[[`cba66c48a5`](https://github.com/nodejs/node/commit/cba66c48a5)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) +- \[[`df8fbfb93d`](https://github.com/nodejs/node/commit/df8fbfb93d)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + +Windows 64-bit Installer: https://nodejs.org/dist/v24.14.1/node-v24.14.1-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v24.14.1/node-v24.14.1-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v24.14.1/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v24.14.1/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v24.14.1/node-v24.14.1.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v24.14.1/node-v24.14.1.tar.gz \ +Other release files: https://nodejs.org/dist/v24.14.1/ \ +Documentation: https://nodejs.org/docs/v24.14.1/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +56f6c18c5e97beb00594c24eb3cfa3c70b7247c403b00ca7eae75bba30b85ce5 node-v24.14.1-aix-ppc64.tar.gz +4013ca42741ae0fd599d432985834d0ad4f565b1e4c59f8975d561f105f4af5c node-v24.14.1-arm64.msi +25495ff85bd89e2d8a24d88566d7e2f827c6b0d3d872b2cebf75371f93fcb1fe node-v24.14.1-darwin-arm64.tar.gz +0e2e679d76743d6d9225e61327a1ddc324e4a89a80891c78c337208601d98f77 node-v24.14.1-darwin-arm64.tar.xz +2526230ad7d922be82d4fdb1e7ee1e84303e133e3b4b0ec4c2897ab31de0253d node-v24.14.1-darwin-x64.tar.gz +a87a37a10c2faf65742c7d5812f5bab878eee52b0dffdf578f49b7a808d96ddd node-v24.14.1-darwin-x64.tar.xz +282103054f841fe75ecbbfdd8bb7334d0a4bb693191d97c5770ac6ae9acdd4ff node-v24.14.1-headers.tar.gz +4c7a978a22ae662b48d1225310c294239ca0e67d8ecd1b02c49def3536941459 node-v24.14.1-headers.tar.xz +734ff04fa7f8ed2e8a78d40cacf5ac3fc4515dac2858757cbab313eb483ba8a2 node-v24.14.1-linux-arm64.tar.gz +71e427e28b78846f201d4d5ecc30cb13d1508ca099ef3871889a1256c7d6f67e node-v24.14.1-linux-arm64.tar.xz +06824292e8b40b7f65a6f9973f3d60f3cc0001a9168234bc3d6e30aa13649fd2 node-v24.14.1-linux-ppc64le.tar.gz +95bf0c8dbb73144edb79a57399f03c70af6995b78e1c632926e53e6404662ef5 node-v24.14.1-linux-ppc64le.tar.xz +3ae573f43c93dafdafedc80863fa2a040bfeaa15e6ab83c1a8e0101f09952dc4 node-v24.14.1-linux-s390x.tar.gz +ed3bfbc0ff418b0ec4633f23d53a12a691717a34b041c3fbdb296c8774e5a98a node-v24.14.1-linux-s390x.tar.xz +ace9fa104992ed0829642629c46ca7bd7fd6e76278cb96c958c4b387d29658ea node-v24.14.1-linux-x64.tar.gz +84d38715d449447117d05c3e71acd78daa49d5b1bfa8aacf610303920c3322be node-v24.14.1-linux-x64.tar.xz +2aaeb742f6aa924da6fbee5c79d7c602b8bfcec45457eb6b738717c3052a14d6 node-v24.14.1-win-arm64.7z +a7b7c68490e4a8cde1921fe5a0cfb3001d53f9c839e416903e4f28e727b62f60 node-v24.14.1-win-arm64.zip +05024009bab2fed64b1143c3cc9931441cc1b902acd16f5880404db94beb3543 node-v24.14.1-win-x64.7z +6e50ce5498c0cebc20fd39ab3ff5df836ed2f8a31aa093cecad8497cff126d70 node-v24.14.1-win-x64.zip +fd8ba3e8262738959cad50e6f6e71d689eab7dd09fc7231b51d78abe7852d4ec node-v24.14.1-x64.msi +643b518b5b33dfb5e199e6268307266add568fe8cc981c82e255c9cd1ac51a29 node-v24.14.1.pkg +8298cf1f5774093ca819f41b8dd392fd2cff058688b4d5c8805026352e2d31b3 node-v24.14.1.tar.gz +7822507713f202cf2a551899d250259643f477b671706db421a6fb55c4aa0991 node-v24.14.1.tar.xz +557ba2ad04fd08464edc2ee3e399b58ff11eaba35a00bb05671661557dc6f79e win-arm64/node.exe +59f1c42e5962e9333bb1673c21125b7a7ce9a6908299aee8f7673803c2e24212 win-arm64/node.lib +ab56402e34b2a385ba6987cb7e022b377bbdcba068886d0f6d61beaf71e26e79 win-arm64/node_pdb.7z +223757455be292ec8a00404e0890f6e345d76824875e188e0be30710ebbe4cf4 win-arm64/node_pdb.zip +58e74bf02fc5bbacc41dcb8bef089961cd5bddd37830b87784e4fc624d145d1f win-x64/node.exe +35fcdd35d3d22e283c0e2e095cc43ef676301bb85f950c344a73d59231bd7e61 win-x64/node.lib +005ea57d4ebca610dcf87a08668977f701cbe91d28595f143c0511c344f675f2 win-x64/node_pdb.7z +4a755bfa6387bbe68a586e4beb8153891ec7f55df772147f59f9fccdf5f0b57c win-x64/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmnC9lsACgkQi+q0389V +XvSHhQwAgWVhmIyXzkWwA2f1Yfh63Xwzlqp/lj82kPI3jCcHmf1K8XFXnAM7Tqfh +4o5tenOo3RXjG1Ap24UBuXmw5iLpvJ6uvnZsRgvmUs0wVCrYMzF0isznrOYd6qYo +wZreGxXF/EFEd6sGmCaEpD5g4yvhcvE+6SwSfxpHdDZuuL50gEKHmG2WU4/oCIU4 ++89CBr4BjMsX63fgwHyD3bI4SaWxcncKGHtPgWldmCrNSz80HhtXqxEinaz79H4n ++jaozyEo6x8YL3VKIIzNKRKgw2/7rVui4ydwAP190CiIEEVAffaIlnbaVOYBp5Zy +J2qTcwCLy0YIB1VnDK+6/sdGoLMOmuRhK2/rRVYAN9X/glPzcKProkL/h4Jhs5RL +b9QwMv9I7pzcff+mshUDWECOr/Y+/AwyISLADfTGHtPq4cenhTq5f4C1lgGIgAQl +/Ci+l+sv/Yo5uteRe9uauhy+p6+XkGzpb8/gbkPTBCiRNWnW0pcVwjLoHaZrZGD3 +mmI22SyF +=AqPu +-----END PGP SIGNATURE----- +``` diff --git a/apps/site/pages/en/blog/release/v25.8.2.md b/apps/site/pages/en/blog/release/v25.8.2.md new file mode 100644 index 0000000000000..7f2ffd051ae02 --- /dev/null +++ b/apps/site/pages/en/blog/release/v25.8.2.md @@ -0,0 +1,109 @@ +--- +date: '2026-03-24T20:43:41.861Z' +category: release +title: Node.js 25.8.2 (Current) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2026-03-24, Version 25.8.2 (Current), @RafaelGSS + +This is a security release. + +### Notable Changes + +- (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High +- (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High +- (CVE-2026-21711) include permission check to `pipe_wrap.cc` (RafaelGSS) - Medium +- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium +- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium +- (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium +- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +- (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low +- (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low + +### Commits + +- \[[`2086b7477b`](https://github.com/nodejs/node/commit/2086b7477b)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834) +- \[[`0f9332a40a`](https://github.com/nodejs/node/commit/0f9332a40a)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +- \[[`2b6937ddb2`](https://github.com/nodejs/node/commit/2b6937ddb2)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) +- \[[`bfb8ad5787`](https://github.com/nodejs/node/commit/bfb8ad5787)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) +- \[[`be6384727f`](https://github.com/nodejs/node/commit/be6384727f)] - **deps**: upgrade npm to 11.11.1 (npm team) [#62216](https://github.com/nodejs/node/pull/62216) +- \[[`2feea5bb97`](https://github.com/nodejs/node/commit/2feea5bb97)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +- \[[`86c04784dd`](https://github.com/nodejs/node/commit/86c04784dd)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +- \[[`5197a56a34`](https://github.com/nodejs/node/commit/5197a56a34)] - **(CVE-2026-21711)** **permission**: include permission check to pipe_wrap.cc (RafaelGSS) [nodejs-private/node-private#820](https://github.com/nodejs-private/node-private/pull/820) +- \[[`04a886c735`](https://github.com/nodejs/node/commit/04a886c735)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +- \[[`9a7f80f2b0`](https://github.com/nodejs/node/commit/9a7f80f2b0)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +- \[[`d9c9b628cf`](https://github.com/nodejs/node/commit/d9c9b628cf)] - **(CVE-2026-21714)** **src**: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +- \[[`45b55dc786`](https://github.com/nodejs/node/commit/45b55dc786)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) +- \[[`4bfda307c0`](https://github.com/nodejs/node/commit/4bfda307c0)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + +Windows 64-bit Installer: https://nodejs.org/dist/v25.8.2/node-v25.8.2-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v25.8.2/node-v25.8.2-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v25.8.2/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v25.8.2/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v25.8.2/node-v25.8.2.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v25.8.2/node-v25.8.2.tar.gz \ +Other release files: https://nodejs.org/dist/v25.8.2/ \ +Documentation: https://nodejs.org/docs/v25.8.2/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +d9fd5dcbfa95727bf30eed1ba1587cbb956a9e5364cf280e0bee2cfa7253802f node-v25.8.2-aix-ppc64.tar.gz +1d8e77a827bd19bac021fccd1f4b0e1f53ef2c4963c40aa2cfadfb8426486351 node-v25.8.2-arm64.msi +fb8dabfda3232ef90d992e6439824fc3237356c04d182f3fa883bebeef31e871 node-v25.8.2-darwin-arm64.tar.gz +ed0d0d6a1a2594d557f36f451ff34dff321d37b7ecb0d24b87c9ff2051086a18 node-v25.8.2-darwin-arm64.tar.xz +530ffb419789f843215375a65b8fcf4cf010735e99276f512a241a31ba8e5e13 node-v25.8.2-darwin-x64.tar.gz +16ccd800deb1a3de28cc71c77226608aa6dc380f86609fd810be3b60a3da1460 node-v25.8.2-darwin-x64.tar.xz +0592acd2a654d1c03360827774b3106453044b42b6d56cc70898f8edf7ac253d node-v25.8.2-headers.tar.gz +15ccf7adaff8a2d665fd2e7e32c0c106231eeb4bee2fe493e8a829701da60512 node-v25.8.2-headers.tar.xz +2f823ecd4f9331d6492fedbe50c5a610be3084521f3a5af146875e00a52f2e63 node-v25.8.2-linux-arm64.tar.gz +b7e8e0c9d48b6d9a43cf6e8d3960127473db001d60e964cb5e955e95603666eb node-v25.8.2-linux-arm64.tar.xz +8910cb32177b689620282859ce19a2c0285e55eeedef4854ff9af3da3bb54b5e node-v25.8.2-linux-ppc64le.tar.gz +6eda60bf124af0469be1045def9e1421c389ca0e2a67ab93834c5d7a41ed7f8f node-v25.8.2-linux-ppc64le.tar.xz +71af59d9a2e40cee6740084c40ae28138eff4d5fbf1ba81dbc729dffc5c71f7c node-v25.8.2-linux-s390x.tar.gz +fcd6dcc95564e293762b81699ee4614d0d867a26614a6549600b28751910834f node-v25.8.2-linux-s390x.tar.xz +e06c7069012d40914c57b31157c69d4ce83ea1fe9d63bbb7d26e0509a4535d21 node-v25.8.2-linux-x64.tar.gz +13a4c88c391aade2b7afba799ff27d09773b04e8a6c27f52908f79ff0e3787f5 node-v25.8.2-linux-x64.tar.xz +e850a0f2ff0fc8ffd93218ef0a5bf9d5e2ddaab50a3953d3676662584534fb93 node-v25.8.2-win-arm64.7z +a08e817d3ca86e065898c7d926f9c0c9a6d812ac9888f7f7cfd8c147ee8cbb29 node-v25.8.2-win-arm64.zip +e50bc4b23c85eeaa782423846c837fdd613dfb4cf5acf7841ca1048b4c66372b node-v25.8.2-win-x64.7z +51815d5b0256b947d27d614de04060fcfdbdb830d2c86e63e6f33dbf7964cca7 node-v25.8.2-win-x64.zip +176cc1d25eaacf1d8058bc319214ca156a4ad7b985d5ae0f239dbc26aa42ffd5 node-v25.8.2-x64.msi +90b364d8d6e6faabe13525c107f626cbfd69b9536aa87c5f2997ad81461b4fe6 node-v25.8.2.pkg +10335f268f7ffacd4f2b4f48d91dc5b19b1577a2861248ca414614ea24ebee65 node-v25.8.2.tar.gz +3efb19e757dc59bb21632507200d2de782369d5226a68955e9372c925fdf2471 node-v25.8.2.tar.xz +4c82a15e4af72881f8f4942506da1b56f2c4b2095924d8442de9f0ad96727834 win-arm64/node.exe +47750ee99207e5b621671565852cf7385f27bf664470886b9437137342a497c9 win-arm64/node.lib +2ed75e3a7fe8a85aa034c7c9c009bab8d65ce08722f5ab9c3bb3c5588ff6798d win-arm64/node_pdb.7z +e9e90a2fcf1db28870dbb9750326892e9574130602ab6114d1504d4219763d62 win-arm64/node_pdb.zip +f8d22c62786c547dc76b15c744e86c0ac1fe9dc38f2e0610dbad4d2b223a4544 win-x64/node.exe +f7201b932d898bdbf78aee7add288d2263c4791f1502068ad11b6c14675c6324 win-x64/node.lib +28288d282ef8043712bc227d43c475a4b60f42b6a1cd8007954e785e5220550c win-x64/node_pdb.7z +9c82e8c3931b46b7b975c41246e097d8980a68ea020e69ca9ad685b53179bbb6 win-x64/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmnC9sAACgkQi+q0389V +XvS4Ugv/Y074JLw5sr2pwbNhqLJCT2Jq7IHvYcOSsZ7VRIbmkOajhYKkVY9bKmoj +ELdk1qpkQYYH1cEEE7YRBqJGwEVChLu//GgvnLgwopR0QRn4Si+2EuSUYUmBXkAx +nLAHthd6HgSVF0A61jsNiTNlyS3tSkubfSGo82OuBMFtiD6n8A5ilgT4zeG+7ydB +tFv+jL5FevUdmYxC7rglSjdrZ/J/uyh2VGnbh1BOwdKSirYrMTEzvpJpX+v4lXHe +vlqvY2KIgR9g4f0pMMqZQ6Gx4MTfXfZYWPajLkHgdtMVe1Bsc82hfWwbHpzcCQFT +j5E0L1HzEC+ornLuv6o+muyX6Yj2weDNhfpIPQWARchcSgKrHZiG3yeEzlj0HLm6 +mn+rDRVLSqK8FwERn/rxHCUZHBzfupF2970a3APB6fXwYXt4u94qCpFsRthoJeA+ +GZ+elk0wLrKpwZs8bnz00RSAfqZ9Uy8PKGGVlelahE4mhjxHs7SbjC381xAwsAVC +LCDG1U7a +=8GXb +-----END PGP SIGNATURE----- +``` diff --git a/apps/site/pages/en/blog/vulnerability/march-2026-security-releases.md b/apps/site/pages/en/blog/vulnerability/march-2026-security-releases.md index 0f654947984e5..732af6cd5a68e 100644 --- a/apps/site/pages/en/blog/vulnerability/march-2026-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/march-2026-security-releases.md @@ -1,5 +1,5 @@ --- -date: 2026-03-17T03:00:00.000Z +date: 2026-03-24T03:00:00.000Z category: vulnerability title: Tuesday, March 24, 2026 Security Releases slug: march-2026-security-releases @@ -7,6 +7,108 @@ layout: blog-post author: The Node.js Project --- +## Security releases available + +Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines for the +following issues. + +This security release includes the following dependency updates to address public vulnerabilities: + +- undici (6.24.1, 7.24.4) on 22.x, 24.x, 25.x + +## Incomplete fix for CVE-2026-21637: `loadSNI()` in `_tls_wrap.js` lacks `try`/`catch` leading to Remote DoS (CVE-2026-21637) - (High) + +A flaw in Node.js TLS error handling leaves `SNICallback` invocations unprotected against synchronous exceptions, while the equivalent ALPN and PSK callbacks were already addressed in CVE-2026-21637. This represents an incomplete fix of that prior vulnerability. + +When an `SNICallback` throws synchronously on unexpected input the exception bypasses TLS error handlers and propagates as an uncaught exception, crashing the Node.js process. + +- This vulnerability affects all Node.js versions that received the CVE-2026-21637 fix, including **20.x, 22.x, 24.x, and 25.x**, on any TLS server where `SNICallback` may throw on unexpected `servername` input. + +Thank you, to mbarbs for reporting this vulnerability and thank you mcollina for fixing it. + +## Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process) (CVE-2026-21710) - (High) + +A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. + +When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. + +- This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x** + +Thank you, to yushengchen for reporting this vulnerability and thank you mcollina for fixing it. + +## Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net` (CVE-2026-21711) - (Medium) + +A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. + +As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. + +- This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature. + +Thank you, to xavlimsg for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Assertion error in `node_url.cc` via malformed URL format leads to Node.js crash (CVE-2026-21712) - (Medium) + +A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. + +- This vulnerability affects **24.x and 25.x**. + +Thank you, to wooffie for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Timing side-channel in HMAC verification via `memcmp()` in `crypto_hmac.cc` leads to potential MAC forgery (CVE-2026-21713) - (Medium) + +A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. + +Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. + +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. + +Thank you, to x_probe for reporting this vulnerability and thank you panva for fixing it. + +## Memory leak in Node.js HTTP/2 server via `WINDOW_UPDATE` on stream 0 leads to resource exhaustion (CVE-2026-21714) - (Medium) + +A memory leak occurs in Node.js HTTP/2 servers when a client sends `WINDOW_UPDATE` frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. + +- This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25. + +Thank you, to galbarnahum for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## HashDoS in V8 (CVE-2026-21717) - (Medium) + +A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. + +The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. + +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. + +Thank you, to sharp_edged for reporting this vulnerability and thank you joyeecheung for fixing it. + +## Permission Model Bypass in realpathSync.native Allows File Existence Disclosure (CVE-2026-21715) - (Low) + +A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. + +As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. + +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted. + +Thank you, to stif for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown (CVE-2026-21716) - (Low) + +An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. + +As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. + +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted. + +Thank you, to wooseokdotkim for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Downloads and release details + +- [Node.js v20.20.2](/blog/release/v20.20.2/) +- [Node.js v22.22.2](/blog/release/v22.22.2/) +- [Node.js v24.14.1](/blog/release/v24.14.1/) +- [Node.js v25.8.2](/blog/release/v25.8.2/) + # Summary The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x diff --git a/apps/site/site.json b/apps/site/site.json index adb1cb048ba8f..47f4551251839 100644 --- a/apps/site/site.json +++ b/apps/site/site.json @@ -28,9 +28,9 @@ ], "websiteBanners": { "index": { - "startDate": "2026-03-17T03:00:00.000Z", - "endDate": "2026-03-24T03:00:00.000Z", - "text": "New security releases to be made available Tuesday, March 24, 2026", + "startDate": "2026-03-24T03:00:00.000Z", + "endDate": "2026-03-31T03:00:00.000Z", + "text": "March Security Release is available", "link": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "type": "warning" }