It’s time to update your environments! The Node.js Project has just announced a vital set of security releases for all active release lines, including 20.x, 22.x, 24.x, and 25.x. As performance and security remain the bedrock of the Node.js ecosystem, these updates address a total of eight vulnerabilities, including three high-severity issues that every infrastructure lead and developer should have on their radar.
Whether you are managing large-scale enterprise microservices or high-performance APIs, ensuring your runtime is patched against these latest findings is imperative for maintaining data integrity and system availability. Let’s break down the major highlights of this release.
Critical Fix: Preventing Memory Leaks in Buffer Allocation
One of the most significant fixes in this cycle is CVE-2025-55131. This high-severity vulnerability involves a timeout-based race condition within Node.js’s buffer allocation logic. Essentially, when using the vm module with a timeout, an interrupted allocation could result in Buffer.alloc or Uint8Array instances returning non-zerofilled memory.
In a production environment, this is a serious risk. Uninitialized memory can contain sensitive leftover data from previous operations—such as tokens, passwords, or private keys—potentially leaking secrets in-process or even remotely if untrusted input influences the workload. This update ensures that memory sanitization remains robust, even under precise timing pressures.
Securing the Permission Model: Symlink Bypass
For those leveraging the Node.js Permission Model to sandbox their applications, CVE-2025-55130 is a must-patch. Security researchers discovered that the --allow-fs-read and --allow-fs-write restrictions could be bypassed using carefully crafted relative symlink paths. By chaining directories and symlinks, an attacker could escape the restricted path to access sensitive files on the host system. This release hardens the permission model to ensure that isolation guarantees remain absolute.
Hardening HTTP/2 Against Denial of Service
Stability is king in the world of web servers, and CVE-2025-59465 addresses a high-severity flaw that could lead to remote crashes. A malformed HTTP/2 HEADERS frame containing invalid HPACK data was found to trigger an unhandled ECONNRESET error in the TLSSocket. Instead of a graceful connection closure, the entire Node.js process could crash. This update provides the necessary error handling to keep your HTTP/2 servers resilient against malicious or malformed traffic.
Dependency Updates and Ecosystem Health
Beyond the core fixes, this release cycle includes essential updates to internal dependencies to keep the stack modern and secure:
- c-ares (1.34.6): Updated for all active release lines to resolve public vulnerabilities.
- undici (6.23.0, 7.18.0): Critical updates for the built-in fetch and HTTP client to ensure secure networking.
Don’t Wait—Upgrade Today
The Node.js community continues to demonstrate world-class vigilance in identifying and resolving these complex edge cases. We recommend all users move to the latest versions of their respective release lines immediately. If you are operating on versions past the Maintenance LTS phase, please explore the OpenJS Ecosystem Sustainability Program for continued commercial support.
A huge thank you to the researchers—Nikita Skovoroda, natann, RafaelGSS, and dantt—for their diligent reporting and fixes that keep the Node.js ecosystem safe for everyone!
Source: Read the full article here.
