From d8fa2cff7e9a5bf2f2954eeb88d1a854e3207d80 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:11:01 -0500 Subject: [PATCH 1/7] feat(blog): create post for v25.3.0 (#8537) Co-authored-by: Create or Update Pull Request Action --- apps/site/pages/en/blog/release/v25.3.0.md | 109 +++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v25.3.0.md diff --git a/apps/site/pages/en/blog/release/v25.3.0.md b/apps/site/pages/en/blog/release/v25.3.0.md new file mode 100644 index 0000000000000..3930dfb535fed --- /dev/null +++ b/apps/site/pages/en/blog/release/v25.3.0.md @@ -0,0 +1,109 @@ +--- +date: '2026-01-13T13:58:49.701Z' +category: release +title: Node.js 25.3.0 (Current) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2026-01-13, Version 25.3.0 (Current), @RafaelGSS + +This is a security release. + +### Notable Changes + +lib: + +- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) + permission: +- (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) +- (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) +- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) + src: +- (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) + src,lib: +- (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) + tls: +- (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) + +### Commits + +- \[[`a6a74b89a7`](https://github.com/nodejs/node/commit/a6a74b89a7)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +- \[[`5100614e26`](https://github.com/nodejs/node/commit/5100614e26)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283) +- \[[`f0a8916887`](https://github.com/nodejs/node/commit/f0a8916887)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#750](https://github.com/nodejs-private/node-private/pull/750) +- \[[`b4b887c5f7`](https://github.com/nodejs/node/commit/b4b887c5f7)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748) +- \[[`26be208039`](https://github.com/nodejs/node/commit/26be208039)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +- \[[`bdf5873d44`](https://github.com/nodejs/node/commit/bdf5873d44)] - **(CVE-2026-21636)** **permission**: add network check on pipe_wrap connect (RafaelGSS) [nodejs-private/node-private#784](https://github.com/nodejs-private/node-private/pull/784) +- \[[`0578e3e921`](https://github.com/nodejs/node/commit/0578e3e921)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +- \[[`4d6b55a6d1`](https://github.com/nodejs/node/commit/4d6b55a6d1)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +- \[[`c357a39e14`](https://github.com/nodejs/node/commit/c357a39e14)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#790](https://github.com/nodejs-private/node-private/pull/790) + +Windows 64-bit Installer: https://nodejs.org/dist/v25.3.0/node-v25.3.0-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v25.3.0/node-v25.3.0-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v25.3.0/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v25.3.0/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v25.3.0/node-v25.3.0.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v25.3.0/node-v25.3.0-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v25.3.0/node-v25.3.0.tar.gz \ +Other release files: https://nodejs.org/dist/v25.3.0/ \ +Documentation: https://nodejs.org/docs/v25.3.0/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +2b281c24a295d517fec0e31f0508810b229e2377cefdf97798c74fa8c7de8163 node-v25.3.0-aix-ppc64.tar.gz +6f6d3bbc3edf9f52e168fcacb065bdb6ab8a496b9a6e75ee11637fc3a79cb873 node-v25.3.0-arm64.msi +d80f384c182971724a7aa819173084e1d8244338fa8e9271a1961d38274d7209 node-v25.3.0-darwin-arm64.tar.gz +2a59bb95e3025f2928f7c6383c98f5c000845ff9f2b847063fa1dc72ecf3b9b2 node-v25.3.0-darwin-arm64.tar.xz +d6d494e5deca973556e146555cdd29b927b0adb3cae2f234b8e1a92310657c39 node-v25.3.0-darwin-x64.tar.gz +979d124e178a24c56eebe9786f359ea9ad533aab8ef39c4941fa0c72f1c37f77 node-v25.3.0-darwin-x64.tar.xz +aff7dc51eca4c08e025785674047e4e0b8cf3cf0481e8bcc5870b7b56ecea39d node-v25.3.0-headers.tar.gz +8ba495ef14af626b44b4cfc463e3cbd7c976d130c79f465d32bda33e0efe9c2c node-v25.3.0-headers.tar.xz +8098e098dc91ec3bf98035eeebff8d9b3e46fb9e14c1e8c377986f76e0b8368f node-v25.3.0-linux-arm64.tar.gz +7d216a3fd253221da593d06d53fb201da01bd89ac6b3618c91740f379706d71a node-v25.3.0-linux-arm64.tar.xz +7564e1fea56baca6fb701dc625ddff239371b7ca63be5691dad6f6911dae85eb node-v25.3.0-linux-ppc64le.tar.gz +552f7176bc10997e8a3c0c13a2b94638d5a11f39200e115d5978dc1d2305a823 node-v25.3.0-linux-ppc64le.tar.xz +53798fa258a37a353395e97d6ffb25d1a8e42258ebc933041b20b55bab1104c4 node-v25.3.0-linux-s390x.tar.gz +aa8ed1656774ab90ae26266f72f6ce78f4ba3feb0d52dca880f29d662888a923 node-v25.3.0-linux-s390x.tar.xz +cc91362eb9a009efa26117c39c7bd55fe130123f01cf60d300b8b57e9501c27c node-v25.3.0-linux-x64.tar.gz +31d124b6b56a83173a7b3bb9ab2c0ec58a0bfcb4e00864707807318ba3ddfa6d node-v25.3.0-linux-x64.tar.xz +088391dd77fbd92a2dd495615cdea92fdf11ec5dc70f3e724b8b7f2f0965bf6e node-v25.3.0-win-arm64.7z +ef217b4313cc6e9bd34a599e4d90f2e40a7ca5c30ae5a3098b32054b1c0d1727 node-v25.3.0-win-arm64.zip +61eac0c670c86a34c3764a0e9c301aa2f7260ccb80adc13c3e53280fdff2f04f node-v25.3.0-win-x64.7z +3c138ba2cd835b1af70ae2813422f544b2e786bdff8c0885ffb89fb7d407148e node-v25.3.0-win-x64.zip +3f8c82f6d7edc2b00a1c9852e3bdd16feb6dbf8990279da9650a2fca9ebfdd65 node-v25.3.0-x64.msi +09bd3f5619aed0dc5f3aaf9de50cea52ffbabc79b5bda36e8e88dbed26405710 node-v25.3.0.pkg +36cf586c51f20832ad27790f278f89f98a8dd957c4d6593d4f34e492249b3352 node-v25.3.0.tar.gz +97939099edd035a0c1a2d1fc849cac018ec2a38c0c28dd8e8246fd883cdb9e9e node-v25.3.0.tar.xz +ec945fb2f2ee283225de505b58518d40e31dfa20fdedbb5b35e44ab173dca456 win-arm64/node.exe +8505f43c0673d071ace6d57c0008eae3b7eca1b7cd6d334c7a632eff056a090e win-arm64/node.lib +6a3d1f7b9bc4c2953fd0ea3991ab4b6b1f03174d0691013a129f5ec5414ce058 win-arm64/node_pdb.7z +4c1aa600d3eff04cd43677539271ef2fd3400ceb1101b9af1257470dfd79dae5 win-arm64/node_pdb.zip +660281da866a222495759906d4ad90f84549f9cca8aa7fff3559df087140bd28 win-x64/node.exe +d5fa10f3ab2f43420a7f2253a14508802e42541b14cd805e5f04d51cc0caa21f win-x64/node.lib +424950cb1c34dad3216753308922f7ecb5a0d1773900c5f2b1bf95ed22b29cf1 win-x64/node_pdb.7z +349af8b9a1a4ceea98ab2a814c32dc6ac3e8724334fa1ca35439602a6b696476 win-x64/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmlmTWMACgkQi+q0389V +XvSCcgv+JHQgZ1ZTToSsl6QgpghY0GdIk1gsycd4qVBrdRRevRv1j7JjyhFegdCf +zr1DLU+Ze0h2VdetrGoPUHD/xpJ4ZjnK2dATQcx6kDNuXoTIJhuFXRBiWuWH8D+Y +bBhAQJaRYs3tbsE2w+0DbbGG3mqqHalu7Ft+v4OYAVXOYoGf/c7bKWykax0/0tv/ +sxugysrx/QdMRTfq91kDXQ9cvAZENHPc2SCD+dV+6pCTIJEEecsZ0gS/1z9FROZc +qUudaN8/cqeh6qGLixIMmBEkH7zwDBAKXCT2ZLtivsw7eh2UtafoZzEGOUVAUh+a +BHCWzFQYO3JEOtwrx0O3kKI9nPpshiTjqpZfbiPsd6/hOZ+1eqqVcYTTmCQBaq/x +bsYOfd5Ccow9ARuqYQh6/8gfgFYV8dzLWY7OlXjuOLCXSVY6/ppjuFg7cq+69eKC +RaKrNU9NAx+uWYos8ky6wpblieILwBh37TlAB7FUODwEqOXDYhUezxtQMJsoH2N3 +6WYmaOmU +=ftL2 +-----END PGP SIGNATURE----- +``` From 335bfa6572f52a1ec12b43a01649ac07446e7efb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:11:19 -0500 Subject: [PATCH 2/7] feat(blog): create post for v24.13.0 (#8536) Co-authored-by: Create or Update Pull Request Action --- apps/site/pages/en/blog/release/v24.13.0.md | 109 ++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v24.13.0.md diff --git a/apps/site/pages/en/blog/release/v24.13.0.md b/apps/site/pages/en/blog/release/v24.13.0.md new file mode 100644 index 0000000000000..40b82b3d44b3a --- /dev/null +++ b/apps/site/pages/en/blog/release/v24.13.0.md @@ -0,0 +1,109 @@ +--- +date: '2026-01-13T13:58:10.153Z' +category: release +title: Node.js 24.13.0 (LTS) +layout: blog-post +author: Marco Ippolito +--- + +## 2026-01-13, Version 24.13.0 'Krypton' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +lib: + +- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) +- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) + lib,permission: +- (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) + src: +- (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) + src,lib: +- (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) + tls: +- (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) + +### Commits + +- \[[`2092785d01`](https://github.com/nodejs/node/commit/2092785d01)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +- \[[`3e58b7f2af`](https://github.com/nodejs/node/commit/3e58b7f2af)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283) +- \[[`4ba536a5a6`](https://github.com/nodejs/node/commit/4ba536a5a6)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797) +- \[[`89adaa21fd`](https://github.com/nodejs/node/commit/89adaa21fd)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748) +- \[[`7302b4dae1`](https://github.com/nodejs/node/commit/7302b4dae1)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +- \[[`ac030753c4`](https://github.com/nodejs/node/commit/ac030753c4)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +- \[[`20075692fe`](https://github.com/nodejs/node/commit/20075692fe)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +- \[[`20591b0618`](https://github.com/nodejs/node/commit/20591b0618)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) + +Windows 64-bit Installer: https://nodejs.org/dist/v24.13.0/node-v24.13.0-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v24.13.0/node-v24.13.0-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v24.13.0/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v24.13.0/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v24.13.0/node-v24.13.0.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v24.13.0/node-v24.13.0-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v24.13.0/node-v24.13.0.tar.gz \ +Other release files: https://nodejs.org/dist/v24.13.0/ \ +Documentation: https://nodejs.org/docs/v24.13.0/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +ac21e9af08a4d54b057d800c03bc95322946952b8daa811cada98bfb66a8ce8f node-v24.13.0-aix-ppc64.tar.gz +9ef67a1cc2b64de38bdd6139d7967699915312df37e9b176277631165e39798d node-v24.13.0-arm64.msi +d595961e563fcae057d4a0fb992f175a54d97fcc4a14dc2d474d92ddeea3b9f8 node-v24.13.0-darwin-arm64.tar.gz +c59a517e9147f25c6167426875a571432f1478c1d7ee7ecc10baa46b0d0e8545 node-v24.13.0-darwin-arm64.tar.xz +6f03c1b48ddbe1b129a6f8038be08e0899f05f17185b4d3e4350180ab669a7f3 node-v24.13.0-darwin-x64.tar.gz +4ca0a48233f091a2a69ec28dd58e59f394a1b2d4f052b6c6b10f760377fe266f node-v24.13.0-darwin-x64.tar.xz +f5589e2b4b962af05381a31d11c3c9b004daf8bd63c95c0e1a406600daa8ae88 node-v24.13.0-headers.tar.gz +9344eddda6621e46d77b26f1b93db25a52592f9eb199f300440fe3c30802f186 node-v24.13.0-headers.tar.xz +0f6d40b94c6a2eb6b4c240ffc8b9fd3ada7ab044c177dd413c06e1ef9a63f081 node-v24.13.0-linux-arm64.tar.gz +aa881151bd0f9f154a0424dd60a72e9ce10672619121658c278a24327ef46831 node-v24.13.0-linux-arm64.tar.xz +18011930b182a1c5b49d2326191fdba58270bdf7b45b8c7df855ef31931b148a node-v24.13.0-linux-ppc64le.tar.gz +babe8c72871c751ed288fc1a1aeb2a95d830f732e43d9e4ab0cf137e3273eb8e node-v24.13.0-linux-ppc64le.tar.xz +5744610b624f2e82ae1ca279d8ece7b8ca466437239533d2d033565303bc1d39 node-v24.13.0-linux-s390x.tar.gz +75f6f780442b7b98a357fd9cf6e383c3d22a8efe9ed4ee1d54ea68ff16889904 node-v24.13.0-linux-s390x.tar.xz +6223aad1a81f9d1e7b682c59d12e2de233f7b4c37475cd40d1c89c42b737ffa8 node-v24.13.0-linux-x64.tar.gz +e798599612f4bb71333a3397ab0d095fd62214e115aea45aa858a145fc72d67e node-v24.13.0-linux-x64.tar.xz +b62d61eb92a1fdcc3fc4951fc087f206eb6f46d088bd9a6630892f4eb5203d13 node-v24.13.0.pkg +54cb58921b4ce2831c6690ee823a3d39cfbf2b75f4e556c4c2bde90f3d8fd1ca node-v24.13.0.tar.gz +320fe909cbb347dcf516201e4964ef177b8138df9a7f810d0d54950481b3158b node-v24.13.0.tar.xz +724fcf1a20ea345cc38fb970044a6f1617a1dc47e477ee5a92fe8b243b95700a node-v24.13.0-win-arm64.7z +92b9f9b0c0c123e11e4afc535f0ec19cd987465eea506427553a49971364158a node-v24.13.0-win-arm64.zip +04d3619e21c07a84043accbacc73256431c6adbea65d4c026c6eb22ff6fd453a node-v24.13.0-win-x64.7z +ca2742695be8de44027d71b3f53a4bdb36009b95575fe1ae6f7f0b5ce091cb88 node-v24.13.0-win-x64.zip +1a5f0cd914386f3be2fbaf03ad9fff808a588ce50d2e155f338fad5530575f18 node-v24.13.0-x64.msi +91e25b2ef61ee30a9e6afce0f336b4d55d688c3717244e496fa11d69fc3a1717 win-arm64/node.exe +afef88b389be8ac30974d2cf69de26001f95f1e9efe1811f2e8467c4cdfe05d0 win-arm64/node.lib +4e3e5e11d6c60e66f65e1292bf524afeb6293f3d96ffdfbbe6756287be307e78 win-arm64/node_pdb.7z +087c7cf72188ce884288ddcd818f799f76e20ee1a1536d624e3f5baea1313c05 win-arm64/node_pdb.zip +d14ba95cdce1ef7dc9ad3ac74949ca5db38b27378ee30f30a23cf26f9e875a11 win-x64/node.exe +be205f2934c17fbd56ce6cdfcfbeb2f6a85061d5141e7a58eba240a8477a12fd win-x64/node.lib +1120267174deb5e7661e5b9b0a291e55c1937155e1dedd85018cb83eb48f466c win-x64/node_pdb.7z +e96ce3ea96ff4067f7cbeece8fe11a06f925676e956859a86e7421d325080eb1 win-x64/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEEzGj1oxBv9EgyLkjtJ/XjjVsKIV8FAmlmTrkACgkQJ/XjjVsK +IV8PPg//Sh16vYqdVCcCbh/omr5nqxtTxcJvNmWN4mYA524yPw3fEXfXCIOE2d8T +nRkN0JRPL56PHH6RTbcql8U1S2jx7RpV3XJw0yFTVOXDa48yGbfBYGbPjnCmoho5 +ZMmQQjfmT4hcwckM8nXVlmX91BMyeCwtRqMN3ymTUTcACV5lFGfC7Ki1Gcu2hg3o +4jZciwOyn4FP5Em2ovIWFk+XqyQ9gMaGsdNX4zPYDqvYFR9qelgh3Sc1oUPflnir +1MuCyj2RzNymgrJ0s9kLpFHHERohZ8S5qGgZq9aucwPupwkwvByKCuvJ4C+qkJYh +7j6CDrsuRpHXFnTuuc3YdSnlj0A6oIeyEVwPFgBL7DNMEohDMFHKc8ERI1nQPFEb +he08EG2vCnQRUScHO6RY/3qcPPZ7BsCE6TCDwGSVkX+EgPEneYS4xs76JBOxOzi3 +dNxQ2XTZa+Q/BnFHLZFMs7nKn5cz+BqZEc5DNlMVhSZmVf0swuBnAPRz2J46dWAr +/Bo8FG44I9M3pmgDMSJd4vT4diqSiOTyJyHTNJbT6beK/esgH9SD1Ink8+AlRGyb +qEMaTasTEvRmRIP1t4NcuMFihvm5Y9f+ifajWrmJ65nv2JEEziUL2QM5htbLUPst +T3QThZNVItW37IVHhc3ILszlOc4nCTV+5+OT9ObOv/wIQSwMltA= +=vpzY +-----END PGP SIGNATURE----- +``` From 8f22da669cde92f2c0a2117a33fbc5741c81f82b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:11:37 -0500 Subject: [PATCH 3/7] feat(blog): create post for v20.20.0 (#8535) Co-authored-by: Create or Update Pull Request Action --- apps/site/pages/en/blog/release/v20.20.0.md | 121 ++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v20.20.0.md diff --git a/apps/site/pages/en/blog/release/v20.20.0.md b/apps/site/pages/en/blog/release/v20.20.0.md new file mode 100644 index 0000000000000..771e28a3d9dd5 --- /dev/null +++ b/apps/site/pages/en/blog/release/v20.20.0.md @@ -0,0 +1,121 @@ +--- +date: '2026-01-13T13:56:13.880Z' +category: release +title: Node.js 20.20.0 (LTS) +layout: blog-post +author: Marco Ippolito +--- + +## 2026-01-13, Version 20.20.0 'Iron' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +lib: + +- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) +- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) + lib,permission: +- (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) + src: +- (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) + src,lib: +- (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) + tls: +- (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) + +### Commits + +- \[[`8f9ba3f623`](https://github.com/nodejs/node/commit/8f9ba3f623)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +- \[[`97fc9b0eb7`](https://github.com/nodejs/node/commit/97fc9b0eb7)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#792](https://github.com/nodejs-private/node-private/pull/792) +- \[[`14fbbb510c`](https://github.com/nodejs/node/commit/14fbbb510c)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#802](https://github.com/nodejs-private/node-private/pull/802) +- \[[`1febc48d5b`](https://github.com/nodejs/node/commit/1febc48d5b)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797) +- \[[`494f62dc23`](https://github.com/nodejs/node/commit/494f62dc23)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +- \[[`d7a5c587c0`](https://github.com/nodejs/node/commit/d7a5c587c0)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +- \[[`51f4de4b4a`](https://github.com/nodejs/node/commit/51f4de4b4a)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +- \[[`85f73e7057`](https://github.com/nodejs/node/commit/85f73e7057)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) + +Windows 32-bit Installer: https://nodejs.org/dist/v20.20.0/node-v20.20.0-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v20.20.0/node-v20.20.0-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v20.20.0/node-v20.20.0-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v20.20.0/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v20.20.0/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v20.20.0/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v20.20.0/node-v20.20.0.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v20.20.0/node-v20.20.0-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v20.20.0/node-v20.20.0.tar.gz \ +Other release files: https://nodejs.org/dist/v20.20.0/ \ +Documentation: https://nodejs.org/docs/v20.20.0/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +7ae62921fc80ee47ae4e2519661e927b3fa7abf75cdb50458490ef2f0da633e5 node-v20.20.0-aix-ppc64.tar.gz +988d0f965918d1ff75b125b36ea5866c1000a48389e0d33875602a58c60b409f node-v20.20.0-arm64.msi +69b98aa4662032ab06bd92216f0aebb2727d7ee4e1eb79ea5787bbbb38af4801 node-v20.20.0-darwin-arm64.tar.gz +2edefda1cdebc210b27d85698354a2a4c247af0a6fb91d9414ce6251a638e364 node-v20.20.0-darwin-arm64.tar.xz +69bf9b294dc04e3b97c3d5e4f16b3c634201b7f5f617fb65d93a9a9ac4bec0f0 node-v20.20.0-darwin-x64.tar.gz +37f82f0718199626056e3694e9f00a5e30c4d1115c0c8649d04a4924a6b95a6f node-v20.20.0-darwin-x64.tar.xz +fc74b79dcc07df4b9c3ecf8d214aea5908b408f9653e918e6df163683a0e33ce node-v20.20.0-headers.tar.gz +96c31e0a07b37b0af25e5b02f679149fe1f169c153477192a59884a320b943d5 node-v20.20.0-headers.tar.xz +2b640b7fc19a1d2f12a226d7dfba9baff2de87cc15db5a3e58bcdb15582ac604 node-v20.20.0-linux-arm64.tar.gz +752113754a7dddf0622b3740a2b2bec3dbaf1792a18711b55871d76444d8892a node-v20.20.0-linux-arm64.tar.xz +2fc5f715c05c7a2662044fbfac5edfcb85d419045ecb2dff53b68f3dc4ec81fb node-v20.20.0-linux-armv7l.tar.gz +68f1945036de7738cb9f46d161ae778a9f96f18f5f5fc2827755f7925d399246 node-v20.20.0-linux-armv7l.tar.xz +8b02c9b00b551d59bd550e6d92e8131f23668fcc71b0937ac2256ee0754e39a7 node-v20.20.0-linux-ppc64le.tar.gz +5ec524a988d71f3f265d218f0f1b71d37ddc2864369508e95d32ac7e6c81a781 node-v20.20.0-linux-ppc64le.tar.xz +154dd8885646253a12532099ccf9485660bc42e4a56bb1483f4e161fb7f10bb9 node-v20.20.0-linux-s390x.tar.gz +908d4bbeb33eb576a132be6c6cb209ebf0e646da0e71ea42b9d481c778a1117f node-v20.20.0-linux-s390x.tar.xz +92dfd59fb4837230abba5d6dd717b882ca897e22fde2f9268e1aac2c4bde0f5b node-v20.20.0-linux-x64.tar.gz +4f48b52acf42130844a3a75e94da0e9629009d09e4101b2304895c24f3fbe609 node-v20.20.0-linux-x64.tar.xz +8dae9c0d296e86150f9138c0077ef020fb384fd913d1a671baa3663e14367ec0 node-v20.20.0.pkg +cafc92e90917c17869d982fdff10104c2eb328437ed9bbf03fdda78ebc0accdd node-v20.20.0.tar.gz +5294d9d2915620e819e6892fd7e545b98d650bad36dae54e6527eaac482add98 node-v20.20.0.tar.xz +8eb9846f62581364f877109808c7df953d3393022f33f128f954bc4a857366b2 node-v20.20.0-win-arm64.7z +870693b496d152519af14b30fb1adef47e62233b90aea5e887ea728cd29c037d node-v20.20.0-win-arm64.zip +5e48cd18cc5dc6cda23b8ad2467223f3f82b0f03b941b7088578ecb7afbda8d4 node-v20.20.0-win-x64.7z +32f24e1405b113d4e01ad2585c92024df673b6156ef6f43a5469a75bf52c0a5a node-v20.20.0-win-x64.zip +0af709b32e1ee7d7ce07c87fc64b216afcee3867cc4982ef95cbfa8010ac0e11 node-v20.20.0-win-x86.7z +d72d2a5b7d944a28eb59e0477bdc0c40b7b0a817bca057d5e882c0e0013590f3 node-v20.20.0-win-x86.zip +8b8f5cbf7f1800c74e19cef0182bb6b9144e154e57fc01dd945bd36edaf32c65 node-v20.20.0-x64.msi +93698ab6cca1cbff4ffb545f15078509ae706cfbb9a646449ccfe1c8d7abad4b node-v20.20.0-x86.msi +9d8337f4cfdfe39383b7eecbda2b84c5997507962d489988fd61f176c14d652c win-arm64/node.exe +cc64d1a9d5189e05c3f7ca3e3351aa38e0454573d533b636415dacf495f96291 win-arm64/node.lib +2fa932df38d6f1612154153a9c8c2048596518d5a46c34490f2c3603fc836d94 win-arm64/node_pdb.7z +cda800fafb789404acbe98548fe1f4e71fbc3889a747eb3fef67155e67b29513 win-arm64/node_pdb.zip +fda2b2a8857735f7958ba9771a2b24734ff36434e85ae606bcf7744d41d7adc0 win-x64/node.exe +919d900bb9d589ebbcfda17e6f6e8f6b49d8d6a8d782b6f5efd6b6c6c5f0d1b1 win-x64/node.lib +922b251451eb2aeb51848e0e67c5aa6d70c47b86d8ac22afcf4240fd445443a5 win-x64/node_pdb.7z +d9751fb70d3f7af85c0485e841de3645f43b69fc954cc231d9a16d96690c1ba1 win-x64/node_pdb.zip +9ffb141325064dcd1febc09752bc3ab7b407b25a0483ebcb1e3cacb7906f4c7f win-x86/node.exe +4e14d97fd24bf99dc322553d817194cc3b956482ee76e073945e82e5d343740a win-x86/node.lib +06b506294604c0806f09d5aa7b7a10a99d4bf62e2484bba74a7e1fb1499f0944 win-x86/node_pdb.7z +080cbc5ed5800da6e0e3087176525d29c21020e212bda31fe1bedb9b3a325876 win-x86/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEEzGj1oxBv9EgyLkjtJ/XjjVsKIV8FAmlmTfUACgkQJ/XjjVsK +IV/NdhAAlCoOxOEkcMRWLhMPfqE+3AhOdqBgATPr1C4+9BHLPGAEqcwro2Gf3OyH +JwZyCPOfmE9Rcx4/3N7nc5KZ5IzdXtcHSdz7JzXfi9aJLzOeZ/U84hXzSJugYbKs +v3vu6l7jD9sPtpwNo/1nBGsXiE1iLpENyiKdkWneGrQfJpNImGVdY9LlV6f7j9Yl +/9bL/Lo6rpR4uSDIuyycAITAAoABli/3SnvSP/yqZ/WPQpA6kO+ZKz1mppAw8zqT +GRaYamCCU97s8vdl3sV7vq50bkxo6TunC1K6ijTlC69vjdUD2aIrD8Jlii/4TXHa +/QyhgeW7Fs5yBqqK9rQkX5LUvdXI81vuTtvcTL/2IW4Tnu51imiP3cTMmn1fjjMD +uuuo2zShcNpZBNjodiv5FHZeEGgrdF0yZNVCTnW32jUQYhnntoEt7TzjVNKXJd+r +XvS4GjR2TdqZ98FFUZNBNO57R1ZDbvqParKwOcsss+1db5UQ7s44BBVGw+qlnJoX +GDE0YoCEcmeQvpvJbJ8WxFFk8uPGyN6UdTlhLu5Pof6kfFA+VTwtnM5l6TvE9uD3 +CTtp4X/yhbRFbl764gFubcQj+L9s5urFNgKGmNaWt9kheGFRVTY8VOXHMrMwFwFu +Kw63llKOsZyrrX5Zmuegve7WnIZsZzW56LaZN37HsQaq+QcLhmQ= +=6O2f +-----END PGP SIGNATURE----- +``` From 632645ef8c858c900f778f0fbcfe75bc4e8bbf3e Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Tue, 13 Jan 2026 11:12:19 -0300 Subject: [PATCH 4/7] Blog: add January 13 security release (#8538) * Blog: add January 13 security release * Update apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Rafael Gonzaga * Update apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Rafael Gonzaga --------- Signed-off-by: Rafael Gonzaga Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../december-2025-security-releases.md | 159 +++++++++++++++--- apps/site/site.json | 6 +- 2 files changed, 140 insertions(+), 25 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md b/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md index 9075c1996e7b6..31cfa2d66f7ba 100644 --- a/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md @@ -1,5 +1,5 @@ --- -date: 2025-12-08T23:00:00.000Z +date: 2026-01-13T00:00:00.000Z category: vulnerability title: Tuesday, January 13, 2026 Security Releases slug: december-2025-security-releases @@ -7,35 +7,150 @@ layout: blog-post author: The Node.js Project --- -## (Update 08-Jan-2026) Security Release postponed to January 13th +## Security releases available -Our team has decided to postpone the release to Tuesday, January 13th, 2026. -This additional time will allow us to properly test all backports and re-run CITGM -to ensure the highest quality for our users. Additionally, releasing on Tuesday rather -than Friday helps ensure that security updates are available during regular business -hours across all time zones, particularly for our users in the Asia-Pacific region. +Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines +to address: -We appreciate your patience and understanding as we work to deliver a secure and -reliable release. If you have any questions or need assistance, please feel free to -join us in the [OpenJS Foundation Slack](https://openjs-foundation.slack.com/). +- 3 high severity issues. +- 4 medium severity issues. +- 1 low severity issue. + +This security release includes the following dependency updates to address public vulnerabilities: + +- c-ares (1.34.6) on 20.x, 22.x, 24.x, 25.x +- undici (6.23.0, 7.18.0) on 20.x, 22.x, 24.x, 25.x + +## Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled (CVE-2025-55131) - (High) + +A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, +when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated +with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous +operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. + +While exploitation typically requires precise timing or in-process code execution, it can become remotely +exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and +integrity impact. + +Impact: + +- This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x + +Thank you, to Nikita Skovoroda for reporting and fixing this vulnerability. + +## Bypass File System Permissions using crafted symlinks (CVE-2025-55130) - (High) + +A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` +restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted +access only to the current directory can escape the allowed path and read sensitive files. This breaks the +expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. + +Impact: + +- This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. + +Thank you, to natann for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame (CVE-2025-59465) - (High) + +A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by +triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the +process crashes, enabling a remote denial of service. This primarily affects applications that do not +attach explicit error handlers to secure sockets, for example: + +```js +server.on('secureConnection', socket => { + socket.on('error', err => { + console.log(err); + }); +}); +``` + +Impact: + +- This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x + +Thank you, to dantt for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers (CVE-2025-59466) - (Medium) + +We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors +become uncatchable when `async_hooks.createHook()` is enabled. +Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. +Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become +vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. + +Impact: + +- This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x + +Thank you, to Andrew MacPherson (AndrewMohawk) for identifying & aaron_vercel for reporting this vulnerability and thank you mcollina for fixing it. + +## Memory leak that enables remote Denial of Service against applications processing TLS client certificates (CVE-2025-59464) - (Medium) + +A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 +without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, +each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated +TLS connections. Over time this can lead to resource exhaustion and denial of service. + +Impact: + +- This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x + +Thank you, to giant_anteater for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS) (CVE-2026-21636) - (Medium) + +A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions +when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs +(such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. +This breaks the intended security boundary of the permission model and enables access to privileged local services, +potentially leading to privilege escalation, data exposure, or local code execution. + +In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase. + +Impact: + +- The issue affects users of the Node.js permission model on version v25. + +Thank you, to mufeedvh for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak (CVE-2026-21637) - (Medium) + +A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when +`pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard +TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file +descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled +input during the TLS handshake, a remote client can repeatedly trigger the issue. + +Impact: + +- This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks + throw without being safely wrapped. + +Thank you, to 0xmaxhax for reporting this vulnerability and thank you mcollina for fixing it. + +## fs.futimes() Bypasses Read-Only Permission Model (CVE-2025-55132) - (Low) + +A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed +via `futimes()` even when the process has only read permissions. -## (Update 07-Jan-2026) Security Release postponed to January 8th +Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file +metadata can be modified in read-only directories. This behavior could be used to alter timestamps in +ways that obscure activity, reducing the reliability of logs. -Our team decided to postpone the release to Thursday, January 8th, 2026, -due to complications in the Node.js testing CI. +Impact: -## (Update 17-Dec-2025) Security Release target January 7th +- This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. -We have decided to delay the release further to Wednesday, January 7th, 2026. Many of the -downstream projects and users are on holiday break at the end of the year, and the security -release will disclose the vulnerabilities being fixed as soon as the patches are available. -We want to make sure that most users are no longer on holiday when they evaluate whether -they are affected and need to perform time-sensitive upgrades. +Thank you, to oriotie for reporting this vulnerability and thank you RafaelGSS for fixing it. -## (Update 15-Dec-2025) Security Release target December 18th +## Downloads and release details -The team is still working on a particularly challenging patch, for this reason -the release is being postponed to Thursday, December 18th or shortly after. +- [Node.js v20.19.7](/blog/release/v20.19.7/) +- [Node.js v22.21.2](/blog/release/v22.21.2/) +- [Node.js v24.12.1](/blog/release/v24.12.1/) +- [Node.js v25.2.2](/blog/release/v25.2.2/) # Summary diff --git a/apps/site/site.json b/apps/site/site.json index 7fb2563aa93c4..19db7981d45c9 100644 --- a/apps/site/site.json +++ b/apps/site/site.json @@ -28,9 +28,9 @@ ], "websiteBanners": { "index": { - "startDate": "2025-12-08T17:00:00.000Z", - "endDate": "2026-01-13T23:00:00.000Z", - "text": "New security releases to be made available Tuesday, January 13, 2026", + "startDate": "2026-01-13T00:00:00.000Z", + "endDate": "2026-01-20T00:00:00.000Z", + "text": "January Security Release is available", "link": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases", "type": "warning" } From 5785880f7abbfdf9617adf7d50a79448ca19194f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:13:50 -0500 Subject: [PATCH 5/7] meta: update pnpm from 10.24.0 to 10.28.0 (#8534) Co-authored-by: Create or Update Pull Request Action --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 5b9189a90e9f3..36d2f8169bf62 100644 --- a/package.json +++ b/package.json @@ -52,7 +52,7 @@ "typescript": "catalog:", "typescript-eslint": "~8.50.1" }, - "packageManager": "pnpm@10.24.0", + "packageManager": "pnpm@10.28.0", "devEngines": { "runtime": { "name": "node", @@ -61,7 +61,7 @@ }, "packageManager": { "name": "pnpm", - "version": "10.24.0", + "version": "10.28.0", "onFail": "error" } } From 9ef446883ec0be95e9730b66564fd0f61f06f62b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:18:56 -0500 Subject: [PATCH 6/7] feat(blog): create post for 22.22.0 (#8539) Co-authored-by: Create or Update Pull Request Action --- apps/site/pages/en/blog/release/v22.22.0.md | 121 ++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v22.22.0.md diff --git a/apps/site/pages/en/blog/release/v22.22.0.md b/apps/site/pages/en/blog/release/v22.22.0.md new file mode 100644 index 0000000000000..38ccb3147d9d9 --- /dev/null +++ b/apps/site/pages/en/blog/release/v22.22.0.md @@ -0,0 +1,121 @@ +--- +date: '2026-01-13T14:18:09.314Z' +category: release +title: Node.js 22.22.0 (LTS) +layout: blog-post +author: Marco Ippolito +--- + +## 2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +lib: + +- (CVE-2025-59465) add TLSSocket default error handler +- (CVE-2025-55132) disable futimes when permission model is enabled + lib,permission: +- (CVE-2025-55130) require full read and write to symlink APIs + src: +- (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks + src,lib: +- (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle + tls: +- (CVE-2026-21637) route callback exceptions through error handlers + +### Commits + +- \[[`6badf4e6f4`](https://github.com/nodejs/node/commit/6badf4e6f4)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +- \[[`37509c3ff0`](https://github.com/nodejs/node/commit/37509c3ff0)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#791](https://github.com/nodejs-private/node-private/pull/791) +- \[[`eb8e41f8db`](https://github.com/nodejs/node/commit/eb8e41f8db)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797) +- \[[`ebbf942a83`](https://github.com/nodejs/node/commit/ebbf942a83)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748) +- \[[`6b4849583a`](https://github.com/nodejs/node/commit/6b4849583a)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +- \[[`ddadc31f09`](https://github.com/nodejs/node/commit/ddadc31f09)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +- \[[`d4d9f3915f`](https://github.com/nodejs/node/commit/d4d9f3915f)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +- \[[`25d6799df6`](https://github.com/nodejs/node/commit/25d6799df6)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) + +Windows 32-bit Installer: https://nodejs.org/dist/v22.22.0/node-v22.22.0-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v22.22.0/node-v22.22.0-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v22.22.0/node-v22.22.0-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v22.22.0/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v22.22.0/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v22.22.0/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v22.22.0/node-v22.22.0.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v22.22.0/node-v22.22.0-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v22.22.0/node-v22.22.0.tar.gz \ +Other release files: https://nodejs.org/dist/v22.22.0/ \ +Documentation: https://nodejs.org/docs/v22.22.0/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +b5ab6deeb8d54b9738039a8ffdc4781cc4b81b291e79b20d3600f830d1d669cb node-v22.22.0-aix-ppc64.tar.gz +26b66be5f735426dce7355d629246f704be08b377f3382de293a6513676cf051 node-v22.22.0-arm64.msi +5ed4db0fcf1eaf84d91ad12462631d73bf4576c1377e192d222e48026a902640 node-v22.22.0-darwin-arm64.tar.gz +2bd596bbfc4a275ceb8721a5954ee97daea5ebe673e96a185ebd732f6fb023ac node-v22.22.0-darwin-arm64.tar.xz +5ea50c9d6dea3dfa3abb66b2656f7a4e1c8cef23432b558d45fb538c7b5dedce node-v22.22.0-darwin-x64.tar.gz +48bc437e00e0c1483da34c21dca196efcb8d22e5dcb0bc7c65386afb00fabb85 node-v22.22.0-darwin-x64.tar.xz +670494f0cc674059596222c60e5db84fbe80c849d7ffb1c3fbd20e4f55b8ea85 node-v22.22.0-headers.tar.gz +58e1483493244a4f8aa7d21ad8b21fc4f72cc3ca669fdf292089cad9de221fde node-v22.22.0-headers.tar.xz +25ba95dfb96871fa2ef977f11f95ea90818c8fa15c0f2110771db08d4ba423be node-v22.22.0-linux-arm64.tar.gz +1bf1eb9ee63ffc4e5d324c0b9b62cf4a289f44332dfef9607cea1a0d9596ba6f node-v22.22.0-linux-arm64.tar.xz +a92684d8720589f19776fb186c5a3a4d273c13436fc8c44b61dd3eeef81f0d3a node-v22.22.0-linux-armv7l.tar.gz +a8b4f15f6e1f371422f1f7abcca4c46bd7abc1c732c274bc5cb108b841c1f0ff node-v22.22.0-linux-armv7l.tar.xz +54680eec598330b9863ab37ada46456415b776e46345958476fcd2212abdf0f3 node-v22.22.0-linux-ppc64le.tar.gz +d83b9957431cc18e1fc143a4b99f89cde7b8a18f53ef392231b4336afd058865 node-v22.22.0-linux-ppc64le.tar.xz +9b24cc6dd17106725d79645adf0a3b62fa3310e4d30aa11147dd3fe2d8325ef4 node-v22.22.0-linux-s390x.tar.gz +5aa0e520689448c4233e8d73f284e8e0634fdcd32b479735698494be5641f3e4 node-v22.22.0-linux-s390x.tar.xz +c33c39ed9c80deddde77c960d00119918b9e352426fd604ba41638d6526a4744 node-v22.22.0-linux-x64.tar.gz +9aa8e9d2298ab68c600bd6fb86a6c13bce11a4eca1ba9b39d79fa021755d7c37 node-v22.22.0-linux-x64.tar.xz +0e437be47d67d916c2b94073321dfdaffef85ef6e527d509588d00994e9036af node-v22.22.0.pkg +5a4585d7f26bfb283267194b299243efea5ee6edd2fbf887825469b4ac94aece node-v22.22.0.tar.gz +4c138012bb5352f49822a8f3e6d1db71e00639d0c36d5b6756f91e4c6f30b683 node-v22.22.0.tar.xz +31bad2fed05553bd4709851e5269ec953c744ee5845d2962564f37fcff634a53 node-v22.22.0-win-arm64.7z +5b44fd410df7b4cd0a1891a05a7b606f8fb7d8786a94997b996a372e82478d7a node-v22.22.0-win-arm64.zip +98758c6ec0b29a03b4e1ec0ace7671a8ac57839034d23a1a62e91fc782fb97d2 node-v22.22.0-win-x64.7z +c97fa376d2becdc8863fcd3ca2dd9a83a9f3468ee7ccf7a6d076ec66a645c77a node-v22.22.0-win-x64.zip +3cf831dc2ae1a53da6baee772388b7cd5635617c8a133fbaf92269fde3336686 node-v22.22.0-win-x86.7z +5d7f6cfc50474cf784027ce9ddabf47a0198ea4b588301ab8675de8c56217247 node-v22.22.0-win-x86.zip +b10f88c6ded24ca487839b3eccb8870a08d7f9fc2b9bb3b463fc72a3a40bcdb1 node-v22.22.0-x64.msi +ec3eeb357dbb980aea936afb8ce8b279f12cf0bec03fd7781ddcfad44f01cba6 node-v22.22.0-x86.msi +fd44256121597d6a3707f4c7730b4e3733eacb5a95cc78a099f601d7e7f8290d win-arm64/node.exe +48839df5eda1889bf704353d35699a4b0d379ee3b2c87d9bfdf0d2d22b182c18 win-arm64/node.lib +8497008940246b148cf9e4455568adbc1a4d5b71f52ebd236dc4f90e5f30142d win-arm64/node_pdb.7z +ded8b2b2c37f93017d8d565f4b32db5278283d3d9527803008ee1aa282c3a084 win-arm64/node_pdb.zip +bae898add4643fcf890a83ad8ae56e20dce7e781cab161a53991ceba70c99ffb win-x64/node.exe +29b1f8c74cb600ff522dcb9da5807c752fae6f510868b7f3079851ebf27154ea win-x64/node.lib +549027ada17424c185a545cf09b3fad7a1d769777ec587481cefe694447728c6 win-x64/node_pdb.7z +1b3fad691fc6f0c1bf679e5999de3d4e16a506e54e404e7e5f9459c9e1e9e1cb win-x64/node_pdb.zip +65fff00e7d40f9a7fc7fb7a64e0d3a595adb6807eeafc8ed8477850eedc90e68 win-x86/node.exe +03c89ca02b018a620471a8411881ab90f472b9e88e5b150cf58b075afb7ce2e9 win-x86/node.lib +fc2cd7abd2c3ee99de42b16bb86e1ecf4fed6d87b714d4827f1e26c4a7e17e51 win-x86/node_pdb.7z +28561a9939829dc3d32ac6b6bc478a1614fbe3992657ab45d1926a0007c2e8fd win-x86/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCAAdFiEEzGj1oxBv9EgyLkjtJ/XjjVsKIV8FAmlmTlkACgkQJ/XjjVsK +IV8/DRAAoFQH3kAks0aVWHG0/v8+rdRbWiIJxNffnfeudYYCm7xcz9JKHo+NhjyY +LQCqoaZUnCo7HJa0y3UypKHC0Jho2WdueyfW6/U/e5wpGt38N4UMaz8tbAGBk48Y +72esD5RnYwA1JEGTtO6JIY8tcLC4NwIMT81WIQaTsGEKtNcJpu8F9AvQGxe0TKuT +RGIcT6IKRuIU0heRYdbmQ85jK9p/pukGdlMoz5/DSDDYQnE3ZRyokdXsnyPn3xx6 +2OEfEL+bjzyDj76zBLuZJSL4Dzm8UC43YTcZHFXKUHyyKNNx9lIOd/LD9Xzujkr4 +HZT4VhOJqQYZuEaVNTapDZzUe2LCoLH+iHmAndUyWL5w94yf6C9/M5hCSfKdVWQV +L4B453tDc1SI7m1GaQlngBb7bfL/b4dKQeoOrwDCqp8nYkg41CMN+FnJ74fzxNEn +in2HIDEfcEWhs+5aQr+ITH29c0V5jufrsnle0I82FQ93BZ9JVLq1WTe5xgrp9wjU +zNM4v7BuBRMQP0qSv1mc3xuwu1Wr837NhTZh+vjYI++DhkL5GTUJ6MH2R3m58+Hg +kcyXQet+YEs8cFbs12Tq47KMsn9rTsOfksubyLJxxz/XRRkgv6HE0m9c5jlbF+uV +gZJILw7c8UopZWoVtuRaZxFFQCipWUcT+NBENDUZnetaHN7KuQo= +=vkw+ +-----END PGP SIGNATURE----- +``` From cc979e1081da2bc25fe082f5920683fec09b30da Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Tue, 13 Jan 2026 11:46:57 -0300 Subject: [PATCH 7/7] Blog: fix formatting on sec release changelog (#8540) * Blog: fix formatting on sec release changelog * fix version name Signed-off-by: Aviv Keller * Apply suggestion from @marco-ippolito Co-authored-by: Marco Ippolito Signed-off-by: Aviv Keller * Update apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md Co-authored-by: Marco Ippolito Signed-off-by: Aviv Keller * Update apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md Co-authored-by: Marco Ippolito Signed-off-by: Aviv Keller --------- Signed-off-by: Aviv Keller Co-authored-by: Aviv Keller Co-authored-by: Marco Ippolito --- apps/site/pages/en/blog/release/v20.20.0.md | 6 ------ apps/site/pages/en/blog/release/v22.22.0.md | 6 ------ apps/site/pages/en/blog/release/v24.13.0.md | 6 ------ apps/site/pages/en/blog/release/v25.3.0.md | 6 ------ .../blog/vulnerability/december-2025-security-releases.md | 8 ++++---- 5 files changed, 4 insertions(+), 28 deletions(-) diff --git a/apps/site/pages/en/blog/release/v20.20.0.md b/apps/site/pages/en/blog/release/v20.20.0.md index 771e28a3d9dd5..4c1018c1ec2c7 100644 --- a/apps/site/pages/en/blog/release/v20.20.0.md +++ b/apps/site/pages/en/blog/release/v20.20.0.md @@ -12,17 +12,11 @@ This is a security release. ### Notable Changes -lib: - - (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) - (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) - lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) - src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) - src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) - tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) ### Commits diff --git a/apps/site/pages/en/blog/release/v22.22.0.md b/apps/site/pages/en/blog/release/v22.22.0.md index 38ccb3147d9d9..eb597d26280cb 100644 --- a/apps/site/pages/en/blog/release/v22.22.0.md +++ b/apps/site/pages/en/blog/release/v22.22.0.md @@ -12,17 +12,11 @@ This is a security release. ### Notable Changes -lib: - - (CVE-2025-59465) add TLSSocket default error handler - (CVE-2025-55132) disable futimes when permission model is enabled - lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs - src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks - src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle - tls: - (CVE-2026-21637) route callback exceptions through error handlers ### Commits diff --git a/apps/site/pages/en/blog/release/v24.13.0.md b/apps/site/pages/en/blog/release/v24.13.0.md index 40b82b3d44b3a..3012fba1ff700 100644 --- a/apps/site/pages/en/blog/release/v24.13.0.md +++ b/apps/site/pages/en/blog/release/v24.13.0.md @@ -12,17 +12,11 @@ This is a security release. ### Notable Changes -lib: - - (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) - (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) - lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) - src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) - src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) - tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) ### Commits diff --git a/apps/site/pages/en/blog/release/v25.3.0.md b/apps/site/pages/en/blog/release/v25.3.0.md index 3930dfb535fed..9b69ef1158dc4 100644 --- a/apps/site/pages/en/blog/release/v25.3.0.md +++ b/apps/site/pages/en/blog/release/v25.3.0.md @@ -12,18 +12,12 @@ This is a security release. ### Notable Changes -lib: - - (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) - permission: - (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) - (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) - (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) - src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) - src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) - tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) ### Commits diff --git a/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md b/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md index 31cfa2d66f7ba..5179751845546 100644 --- a/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md @@ -147,10 +147,10 @@ Thank you, to oriotie for reporting this vulnerability and thank you RafaelGSS f ## Downloads and release details -- [Node.js v20.19.7](/blog/release/v20.19.7/) -- [Node.js v22.21.2](/blog/release/v22.21.2/) -- [Node.js v24.12.1](/blog/release/v24.12.1/) -- [Node.js v25.2.2](/blog/release/v25.2.2/) +- [Node.js 20.20.0](/blog/release/v20.20.0/) +- [Node.js 22.22.0](/blog/release/v22.22.0/) +- [Node.js 24.13.0](/blog/release/v24.13.0/) +- [Node.js 25.3.0](/blog/release/v25.3.0/) # Summary