This is a security release.
Notable changes
The following CVEs are fixed in this release:
- CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
- CVE-2022-32213: bypass via obs-fold mechanic (Medium)
- CVE-2022-35255: Weak randomness in WebCrypto keygen
- CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.
Commits
- [
a54283a638] - crypto: fix weak randomness in WebCrypto keygen (Ben Noordhuis) nodejs-private/node-private#346 - [
0713e21240] - http: disable chunked encoding when using OBS fold is used (Paolo Insogna) nodejs-private/node-private#341 - [
77fe2f32e4] - src: fix IPv4 non routable validation (RafaelGSS) nodejs-private/node-private#337