From 4443a11bef5688f0696adec08daf842a7069c5d1 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Wed, 7 Jan 2026 17:31:59 +0100 Subject: [PATCH 1/4] 2026-01-13, Version 20.20.0 'Iron' (LTS) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a security release. Notable changes: lib: * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://github.com/nodejs-private/node-private/pull/802 * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://github.com/nodejs-private/node-private/pull/797 lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://github.com/nodejs-private/node-private/pull/760 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://github.com/nodejs-private/node-private/pull/773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://github.com/nodejs-private/node-private/pull/799 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://github.com/nodejs-private/node-private/pull/796 PR-URL: https://github.com/nodejs-private/node-private/pull/804 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V20.md | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6893768878854..1fa8105e74cd81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -96,7 +96,8 @@ release. 22.0.0
-20.19.6
+20.20.0
+20.19.6
20.19.5
20.19.4
20.19.3
diff --git a/doc/changelogs/CHANGELOG_V20.md b/doc/changelogs/CHANGELOG_V20.md index f3fffe9320c717..c25c70b830c072 100644 --- a/doc/changelogs/CHANGELOG_V20.md +++ b/doc/changelogs/CHANGELOG_V20.md @@ -9,6 +9,7 @@ +20.20.0
20.19.6
20.19.5
20.19.4
@@ -80,6 +81,38 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-01-13, Version 20.20.0 'Iron' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +lib: + +* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) +* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) + lib,permission: +* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) + src: +* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) + src,lib: +* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) + tls: +* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) + +### Commits + +* \[[`8f9ba3f623`](https://github.com/nodejs/node/commit/8f9ba3f623)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +* \[[`97fc9b0eb7`](https://github.com/nodejs/node/commit/97fc9b0eb7)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#792](https://github.com/nodejs-private/node-private/pull/792) +* \[[`14fbbb510c`](https://github.com/nodejs/node/commit/14fbbb510c)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#802](https://github.com/nodejs-private/node-private/pull/802) +* \[[`1febc48d5b`](https://github.com/nodejs/node/commit/1febc48d5b)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797) +* \[[`494f62dc23`](https://github.com/nodejs/node/commit/494f62dc23)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +* \[[`d7a5c587c0`](https://github.com/nodejs/node/commit/d7a5c587c0)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +* \[[`51f4de4b4a`](https://github.com/nodejs/node/commit/51f4de4b4a)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +* \[[`85f73e7057`](https://github.com/nodejs/node/commit/85f73e7057)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) + ## 2025-11-25, Version 20.19.6 'Iron' (LTS), @marco-ippolito From 1f49cd1d86977deca14aae108d8a98e470019baa Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Wed, 7 Jan 2026 16:40:53 +0100 Subject: [PATCH 2/4] 2026-01-13, Version 22.22.0 'Jod' (LTS) This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler * (CVE-2025-55132) disable futimes when permission model is enabled lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle tls: * (CVE-2026-21637) route callback exceptions through error handlers PR-URL: https://github.com/nodejs-private/node-private/pull/801 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V22.md | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1fa8105e74cd81..a062afdc7fd542 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,7 +66,8 @@ release. 24.0.0
-22.21.1
+22.22.0
+22.21.1
22.21.0
22.20.0
22.19.0
diff --git a/doc/changelogs/CHANGELOG_V22.md b/doc/changelogs/CHANGELOG_V22.md index 067a33a66bd597..042ed5e8daffa5 100644 --- a/doc/changelogs/CHANGELOG_V22.md +++ b/doc/changelogs/CHANGELOG_V22.md @@ -9,6 +9,7 @@ +22.22.0
22.21.1
22.21.0
22.20.0
@@ -70,6 +71,38 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +lib: + +* (CVE-2025-59465) add TLSSocket default error handler +* (CVE-2025-55132) disable futimes when permission model is enabled + lib,permission: +* (CVE-2025-55130) require full read and write to symlink APIs + src: +* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks + src,lib: +* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle + tls: +* (CVE-2026-21637) route callback exceptions through error handlers + +### Commits + +* \[[`6badf4e6f4`](https://github.com/nodejs/node/commit/6badf4e6f4)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +* \[[`37509c3ff0`](https://github.com/nodejs/node/commit/37509c3ff0)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#791](https://github.com/nodejs-private/node-private/pull/791) +* \[[`eb8e41f8db`](https://github.com/nodejs/node/commit/eb8e41f8db)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797) +* \[[`ebbf942a83`](https://github.com/nodejs/node/commit/ebbf942a83)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748) +* \[[`6b4849583a`](https://github.com/nodejs/node/commit/6b4849583a)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +* \[[`ddadc31f09`](https://github.com/nodejs/node/commit/ddadc31f09)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +* \[[`d4d9f3915f`](https://github.com/nodejs/node/commit/d4d9f3915f)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +* \[[`25d6799df6`](https://github.com/nodejs/node/commit/25d6799df6)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) + ## 2025-10-28, Version 22.21.1 'Jod' (LTS), @aduh95 From 64022d9fccc9624813a311444e87f2b2985acb22 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Wed, 7 Jan 2026 09:01:45 +0100 Subject: [PATCH 3/4] 2026-01-13, Version 24.13.0 'Krypton' (LTS) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) src: * (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) PR-URL: https://github.com/nodejs-private/node-private/pull/800 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V24.md | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a062afdc7fd542..14fe59cdf061df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,7 +47,8 @@ release. 25.0.0
-24.12.0
+24.13.0
+24.12.0
24.11.1
24.11.0
24.10.0
diff --git a/doc/changelogs/CHANGELOG_V24.md b/doc/changelogs/CHANGELOG_V24.md index 7c15291f9364d8..bd0dd62352d0b3 100644 --- a/doc/changelogs/CHANGELOG_V24.md +++ b/doc/changelogs/CHANGELOG_V24.md @@ -9,6 +9,7 @@ +24.13.0
24.12.0
24.11.1
24.11.0
@@ -59,6 +60,38 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-01-13, Version 24.13.0 'Krypton' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +lib: + +* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) +* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) + lib,permission: +* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) + src: +* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) + src,lib: +* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) + tls: +* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) + +### Commits + +* \[[`2092785d01`](https://github.com/nodejs/node/commit/2092785d01)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +* \[[`3e58b7f2af`](https://github.com/nodejs/node/commit/3e58b7f2af)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283) +* \[[`4ba536a5a6`](https://github.com/nodejs/node/commit/4ba536a5a6)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797) +* \[[`89adaa21fd`](https://github.com/nodejs/node/commit/89adaa21fd)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748) +* \[[`7302b4dae1`](https://github.com/nodejs/node/commit/7302b4dae1)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +* \[[`ac030753c4`](https://github.com/nodejs/node/commit/ac030753c4)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +* \[[`20075692fe`](https://github.com/nodejs/node/commit/20075692fe)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +* \[[`20591b0618`](https://github.com/nodejs/node/commit/20591b0618)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) + ## 2025-12-10, Version 24.12.0 'Krypton' (LTS), @targos From 6ea77ad552f9f9d8a61c44a82f158213c94b5daf Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 5 Jan 2026 15:07:21 -0300 Subject: [PATCH 4/4] 2026-01-13, Version 25.3.0 (Current) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://github.com/nodejs-private/node-private/pull/750 permission: * (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) https://github.com/nodejs-private/node-private/pull/784 * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://github.com/nodejs-private/node-private/pull/760 * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://github.com/nodejs-private/node-private/pull/748 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://github.com/nodejs-private/node-private/pull/773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://github.com/nodejs-private/node-private/pull/759 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://github.com/nodejs-private/node-private/pull/790 PR-URL: https://github.com/nodejs-private/node-private/pull/793 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V25.md | 35 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14fe59cdf061df..1ebe92402071f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,7 +41,8 @@ release. -25.2.1
+25.3.0
+25.2.1
25.2.0
25.1.0
25.0.0
diff --git a/doc/changelogs/CHANGELOG_V25.md b/doc/changelogs/CHANGELOG_V25.md index 7c235f3f7afdd1..53c4393f434dd8 100644 --- a/doc/changelogs/CHANGELOG_V25.md +++ b/doc/changelogs/CHANGELOG_V25.md @@ -8,6 +8,7 @@ +25.3.0
25.2.1
25.2.0
25.1.0
@@ -43,6 +44,40 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-01-13, Version 25.3.0 (Current), @RafaelGSS + +This is a security release. + +### Notable Changes + +lib: + +* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) + permission: +* (CVE-2026-21636) add network check on pipe\_wrap connect (RafaelGSS) +* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) +* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) + src: +* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) + src,lib: +* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) + tls: +* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) + +### Commits + +* \[[`a6a74b89a7`](https://github.com/nodejs/node/commit/a6a74b89a7)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997) +* \[[`5100614e26`](https://github.com/nodejs/node/commit/5100614e26)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283) +* \[[`f0a8916887`](https://github.com/nodejs/node/commit/f0a8916887)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#750](https://github.com/nodejs-private/node-private/pull/750) +* \[[`b4b887c5f7`](https://github.com/nodejs/node/commit/b4b887c5f7)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748) +* \[[`26be208039`](https://github.com/nodejs/node/commit/26be208039)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) +* \[[`bdf5873d44`](https://github.com/nodejs/node/commit/bdf5873d44)] - **(CVE-2026-21636)** **permission**: add network check on pipe\_wrap connect (RafaelGSS) [nodejs-private/node-private#784](https://github.com/nodejs-private/node-private/pull/784) +* \[[`0578e3e921`](https://github.com/nodejs/node/commit/0578e3e921)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) +* \[[`4d6b55a6d1`](https://github.com/nodejs/node/commit/4d6b55a6d1)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) +* \[[`c357a39e14`](https://github.com/nodejs/node/commit/c357a39e14)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#790](https://github.com/nodejs-private/node-private/pull/790) + ## 2025-11-17, Version 25.2.1 (Current), @aduh95