These releases address three high-severity flaws, among others, urging immediate upgrades for affected systems.
High-severity issues dominate this release, with CVE-2025-55131 exposing uninitialized memory in Buffer.alloc and Uint8Array due to timeout races in the vm module, potentially leaking secrets like tokens.
CVE-2025-55130 allows symlink attacks to evade filesystem permission flags such as –allow-fs-read, enabling arbitrary file access. CVE-2025-59465 crashes HTTP/2 servers via malformed HEADERS frames, triggering unhandled TLSSocket errors for remote DoS.
| CVE ID | Severity | Description Summary | Affected Versions | Reporter/Fixer |
|---|---|---|---|---|
| CVE-2025-55131 | High | Buffer alloc race exposes prior data | 20.x,22.x,24.x,25.x | Nikita Skovoroda/RafaelGSS |
| CVE-2025-55130 | High | Symlink bypasses FS permissions | 20.x,22.x,24.x,25.x | natann/RafaelGSS |
| CVE-2025-59465 | High | HTTP/2 malformed frame causes server crash | 20.x,22.x,24.x,25.x | dantt/RafaelGSS |
Four medium vulnerabilities include CVE-2025-59466, where async_hooks make stack overflow errors uncatchable, bypassing handlers for DoS. CVE-2025-59464 leaks memory in TLS client certificate processing via OpenSSL UTF-8 conversions.
CVE-2026-21636 bypasses network permissions via Unix Domain Sockets in the experimental model on v25. CVE-2026-21637 lets TLS PSK/ALPN callbacks throw exceptions that crash servers or leak FDs.
| CVE ID | Severity | Description Summary | Affected Versions | Reporter/Fixer |
|---|---|---|---|---|
| CVE-2025-59466 | Medium | Uncatchable stack errors via async_hooks | 20.x,22.x,24.x,25.x | AndrewMacPherson/mcollina |
| CVE-2025-59464 | Medium | TLS cert memory leak | 20.x,22.x,24.x | giant_anteater/RafaelGSS |
| CVE-2026-21636 | Medium | UDS bypasses net permissions | 25.x | mufeedvh/RafaelGSS |
| CVE-2026-21637 | Medium | TLS callback exceptions cause DoS/FD leak | All with PSK/ALPN | 0xmaxhax/mcollina |
CVE-2025-55132 allows fs.futimes() to modify timestamps without write permissions, undermining read-only isolation in permission models from v20 to v25.
Updates include c-ares 1.34.6 and undici (6.23.0 or 7.18.0) to address public vulnerabilities. New versions include Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, available via standard channels.
Node.js urges users to prioritize upgrades, especially for production HTTP/2 servers and permission-enabled environments, as end-of-life branches remain exposed.
The Node.js team credits multiple researchers for disclosures, emphasizing community collaboration in securing the ecosystem. Multiple postponements ensured thorough testing before today’s rollout.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines appeared first on Cyber Security News.
On April 1, NASA's Artemis II is set to embark on its 10-day mission to…
On April 1, NASA's Artemis II is set to embark on its 10-day mission to…
Spider-Noir, the upcoming superhero series starring Nicolas Cage, debuts on MGM+ on May 25, 2026,…
Spider-Noir, the upcoming superhero series starring Nicolas Cage, debuts on MGM+ on May 25, 2026,…
INDIANAPOLIS, Ind. (WOWO) — As the countdown to the 2026 NCAA Men’s Final Four begins,…
WHITING, Ind. (WOWO) — Indiana Governor Mike Braun joined locked-out workers on the picket line…
This website uses cookies.