Node.js issued important safety updates throughout its energetic launch traces on January 13, 2026, patching vulnerabilities that would result in reminiscence leaks, denial-of-service assaults, and permission bypasses.
These releases handle three high-severity flaws, amongst others, urging speedy upgrades for affected programs.
Excessive Severity Vulnerabilities
Excessive-severity points dominate this launch, with CVE-2025-55131 exposing uninitialized reminiscence in Buffer.alloc and Uint8Array attributable to timeout races within the vm module, probably leaking secrets and techniques like tokens.
CVE-2025-55130 permits symlink assaults to evade filesystem permission flags resembling –allow-fs-read, enabling arbitrary file entry. CVE-2025-59465 crashes HTTP/2 servers by way of malformed HEADERS frames, triggering unhandled TLSSocket errors for distant DoS.
CVE IDSeverityDescription SummaryAffected VersionsReporter/FixerCVE-2025-55131HighBuffer alloc race exposes prior data20.x,22.x,24.x,25.xNikita Skovoroda/RafaelGSSCVE-2025-55130HighSymlink bypasses FS permissions20.x,22.x,24.x,25.xnatann/RafaelGSSCVE-2025-59465HighHTTP/2 malformed body causes server crash20.x,22.x,24.x,25.xdantt/RafaelGSS
Medium Severity Points
4 medium vulnerabilities embody CVE-2025-59466, the place async_hooks make stack overflow errors uncatchable, bypassing handlers for DoS. CVE-2025-59464 leaks reminiscence in TLS shopper certificates processing by way of OpenSSL UTF-8 conversions.
CVE-2026-21636 bypasses community permissions by way of Unix Area Sockets within the experimental mannequin on v25. CVE-2026-21637 lets TLS PSK/ALPN callbacks throw exceptions that crash servers or leak FDs.
CVE IDSeverityDescription SummaryAffected VersionsReporter/FixerCVE-2025-59466MediumUncatchable stack errors by way of async_hooks20.x,22.x,24.x,25.xAndrewMacPherson/mcollinaCVE-2025-59464MediumTLS cert reminiscence leak20.x,22.x,24.xgiant_anteater/RafaelGSSCVE-2026-21636MediumUDS bypasses web permissions25.xmufeedvh/RafaelGSSCVE-2026-21637MediumTLS callback exceptions trigger DoS/FD leakAll with PSK/ALPN0xmaxhax/mcollina
Low Severity Repair
CVE-2025-55132 permits fs.futimes() to switch timestamps with out write permissions, undermining read-only isolation in permission fashions from v20 to v25.
Updates embody c-ares 1.34.6 and undici (6.23.0 or 7.18.0) to handle public vulnerabilities. New variations embody Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, accessible by way of normal channels.
Node.js urges customers to prioritize upgrades, particularly for manufacturing HTTP/2 servers and permission-enabled environments, as end-of-life branches stay uncovered.
The Node.js group credit a number of researchers for disclosures, emphasizing group collaboration in securing the ecosystem. A number of postponements ensured thorough testing earlier than at the moment’s rollout.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
