Skip to content

Commit d89bb1b

Browse files
juanarboljuanarbol
committed
2026-03-24, Version 24.14.1 'Krypton' (LTS)
This is a security release. Notable changes: build,deps,test: * (CVE-2026-21717) test array index hash collision crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code * (CVE-2026-21712) handle url crash on different url formats tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: nodejs-private/node-private#837
1 parent 80cb042 commit d89bb1b

File tree

3 files changed

+41
-2
lines changed

3 files changed

+41
-2
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,8 @@ release.
4040
</tr>
4141
<tr>
4242
<td valign="top">
43-
<b><a href="doc/changelogs/CHANGELOG_V24.md#24.14.0">24.14.0</a></b><br/>
43+
<b><a href="doc/changelogs/CHANGELOG_V24.md#24.14.1">24.14.1</a></b><br/>
44+
<a href="doc/changelogs/CHANGELOG_V24.md#24.14.0">24.14.0</a><br/>
4445
<a href="doc/changelogs/CHANGELOG_V24.md#24.13.1">24.13.1</a><br/>
4546
<a href="doc/changelogs/CHANGELOG_V24.md#24.13.0">24.13.0</a><br/>
4647
<a href="doc/changelogs/CHANGELOG_V24.md#24.12.0">24.12.0</a><br/>

doc/changelogs/CHANGELOG_V24.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
</tr>
1010
<tr>
1111
<td>
12+
<a href="#24.14.1">24.14.1</a><br/>
1213
<a href="#24.14.0">24.14.0</a><br/>
1314
<a href="#24.13.1">24.13.1</a><br/>
1415
<a href="#24.13.0">24.13.0</a><br/>
@@ -61,6 +62,43 @@
6162
* [io.js](CHANGELOG_IOJS.md)
6263
* [Archive](CHANGELOG_ARCHIVE.md)
6364

65+
<a id="24.14.1"></a>
66+
67+
## 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol
68+
69+
This is a security release.
70+
71+
### Notable Changes
72+
73+
* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
74+
* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
75+
* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
76+
* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
77+
* (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) - Medium
78+
* (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
79+
* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
80+
* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
81+
82+
### Commits
83+
84+
* \[[`6fae244080`](https://github.com/nodejs/node/commit/6fae244080)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
85+
* \[[`cc0910c62e`](https://github.com/nodejs/node/commit/cc0910c62e)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822)
86+
* \[[`80cb042cf3`](https://github.com/nodejs/node/commit/80cb042cf3)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271)
87+
* \[[`f5b8667dc2`](https://github.com/nodejs/node/commit/f5b8667dc2)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233)
88+
* \[[`08852637d9`](https://github.com/nodejs/node/commit/08852637d9)] - **deps**: update undici to 7.22.0 (Node.js GitHub Bot) [#62035](https://github.com/nodejs/node/pull/62035)
89+
* \[[`61097db9fb`](https://github.com/nodejs/node/commit/61097db9fb)] - **deps**: upgrade npm to 11.11.0 (npm team) [#61994](https://github.com/nodejs/node/pull/61994)
90+
* \[[`9ac0f9f81e`](https://github.com/nodejs/node/commit/9ac0f9f81e)] - **deps**: upgrade npm to 11.10.1 (npm team) [#61892](https://github.com/nodejs/node/pull/61892)
91+
* \[[`3dab3c4698`](https://github.com/nodejs/node/commit/3dab3c4698)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344)
92+
* \[[`87521e99d1`](https://github.com/nodejs/node/commit/87521e99d1)] - **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
93+
* \[[`045013366f`](https://github.com/nodejs/node/commit/045013366f)] - **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
94+
* \[[`af22629ea8`](https://github.com/nodejs/node/commit/af22629ea8)] - **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
95+
* \[[`380ea72eef`](https://github.com/nodejs/node/commit/380ea72eef)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821)
96+
* \[[`d6b6051e08`](https://github.com/nodejs/node/commit/d6b6051e08)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795)
97+
* \[[`bfdecef9da`](https://github.com/nodejs/node/commit/bfdecef9da)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794)
98+
* \[[`c015edf313`](https://github.com/nodejs/node/commit/c015edf313)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832)
99+
* \[[`cba66c48a5`](https://github.com/nodejs/node/commit/cba66c48a5)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816)
100+
* \[[`df8fbfb93d`](https://github.com/nodejs/node/commit/df8fbfb93d)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819)
101+
64102
<a id="24.14.0"></a>
65103

66104
## 2026-02-24, Version 24.14.0 'Krypton' (LTS), @ruyadorno prepared by @aduh95

src/node_version.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
#define NODE_VERSION_IS_LTS 1
3030
#define NODE_VERSION_LTS_CODENAME "Krypton"
3131

32-
#define NODE_VERSION_IS_RELEASE 0
32+
#define NODE_VERSION_IS_RELEASE 1
3333

3434
#ifndef NODE_STRINGIFY
3535
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

0 commit comments

Comments
 (0)