These releases address three high-severity flaws, among others, urging immediate upgrades for affected systems.
High-severity issues dominate this release, with CVE-2025-55131 exposing uninitialized memory in Buffer.alloc and Uint8Array due to timeout races in the vm module, potentially leaking secrets like tokens.
CVE-2025-55130 allows symlink attacks to evade filesystem permission flags such as –allow-fs-read, enabling arbitrary file access. CVE-2025-59465 crashes HTTP/2 servers via malformed HEADERS frames, triggering unhandled TLSSocket errors for remote DoS.
| CVE ID | Severity | Description Summary | Affected Versions | Reporter/Fixer |
|---|---|---|---|---|
| CVE-2025-55131 | High | Buffer alloc race exposes prior data | 20.x,22.x,24.x,25.x | Nikita Skovoroda/RafaelGSS |
| CVE-2025-55130 | High | Symlink bypasses FS permissions | 20.x,22.x,24.x,25.x | natann/RafaelGSS |
| CVE-2025-59465 | High | HTTP/2 malformed frame causes server crash | 20.x,22.x,24.x,25.x | dantt/RafaelGSS |
Four medium vulnerabilities include CVE-2025-59466, where async_hooks make stack overflow errors uncatchable, bypassing handlers for DoS. CVE-2025-59464 leaks memory in TLS client certificate processing via OpenSSL UTF-8 conversions.
CVE-2026-21636 bypasses network permissions via Unix Domain Sockets in the experimental model on v25. CVE-2026-21637 lets TLS PSK/ALPN callbacks throw exceptions that crash servers or leak FDs.
| CVE ID | Severity | Description Summary | Affected Versions | Reporter/Fixer |
|---|---|---|---|---|
| CVE-2025-59466 | Medium | Uncatchable stack errors via async_hooks | 20.x,22.x,24.x,25.x | AndrewMacPherson/mcollina |
| CVE-2025-59464 | Medium | TLS cert memory leak | 20.x,22.x,24.x | giant_anteater/RafaelGSS |
| CVE-2026-21636 | Medium | UDS bypasses net permissions | 25.x | mufeedvh/RafaelGSS |
| CVE-2026-21637 | Medium | TLS callback exceptions cause DoS/FD leak | All with PSK/ALPN | 0xmaxhax/mcollina |
CVE-2025-55132 allows fs.futimes() to modify timestamps without write permissions, undermining read-only isolation in permission models from v20 to v25.
Updates include c-ares 1.34.6 and undici (6.23.0 or 7.18.0) to address public vulnerabilities. New versions include Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, available via standard channels.
Node.js urges users to prioritize upgrades, especially for production HTTP/2 servers and permission-enabled environments, as end-of-life branches remain exposed.
The Node.js team credits multiple researchers for disclosures, emphasizing community collaboration in securing the ecosystem. Multiple postponements ensured thorough testing before today’s rollout.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines appeared first on Cyber Security News.
Some of the Invincible VS DLC roster appears to have leaked online, pointing to the…
HARRISBURG, Pa. (AP) — Building trades unions — long fashioned as the voice of the…
Reggie Fils-Aimé has opened up about the time an Amazon executive gave him a phone…
Reggie Fils-Aimé has opened up about the time an Amazon executive gave him a phone…
Star Wars Day is upon us, and that means there's a slew of Star Wars…
A new weekend has arrived, and today, you can save big on Dragon Quest VII…
This website uses cookies.