Commercial support for versions past the Maintenance LTS phase is available through our OpenJS Ecosystem Sustainability Program partners Tuesday, January 13, 2026 Security Releases TNJP The Node.js Project Tuesday, January 13, 2026 Security Releases Security releases available Updates are now available for the 25.x, 24.x, 22.x, and 20.x Node.js release lines to address: 3 high severity issues. 4 medium severity issues. 1 low severity issue. This security release includes the following dependency updates to address public vulnerabilities: c-ares (1.34.6) on 20.x, 22.x, 24.x, 25.x undici (6.23.0, 7.18.0) on 20.x, 22.x, 24.x, 25.x Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled (CVE-2025-55131) - (High) A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. Impact: This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, 25.x Thank you, to Nikita Skovoroda for reporting and fixing this vulnerability. Bypass File System Permissions using crafted symlinks (CVE-2025-55130) - (High) A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. Impact: This vulnerability affects users of the permission model on Node.js 20.x, 22.x, 24.x, and 25.x. Thank you, to natann for reporting this vulnerability and thank you RafaelGSS for fixing it. A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET . Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: server . on ( ' secureConnection ' , => { . on ( ' error ' , => { . ( ) ; } ) ; } ) ; Impact: This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, and 25.x Thank you, to dantt for reporting this vulnerability and thank you RafaelGSS for fixing it. Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers (CVE-2025-59466) - (Medium) We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException') , the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. This patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security. In availability‑critical paths where recursion depth may be influenced by untrusted input, prefer input validation and designs that bound or avoid recursion rather than depending on stack space exhaustion behavior or the lack of tail‑call optimizations in the runtime/engine. See this blog post for details. Impact: This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x, and 25.x Thank you, to Andrew MacPherson (AndrewMohawk) for identifying & aaron_vercel for reporting this vulnerability and thank you mcollina for fixing it. Memory leak that enables remote Denial of Service against applications processing TLS client certificates (CVE-2025-59464) - (Medium) A memory leak in Node.js’s OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificate(true) , each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. Impact: This vulnerability was already fixed on Node.js 24.12.0. It has no impact on other active release lines. This public CVE is only issued for the affected 24.x releases