This is a security release.
Notable Changes
lib:
- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) https://github.com/nodejs-private/node-private/pull/802
- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) https://github.com/nodejs-private/node-private/pull/797
lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) https://github.com/nodejs-private/node-private/pull/760
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) https://github.com/nodejs-private/node-private/pull/773
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) https://github.com/nodejs-private/node-private/pull/759
tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) https://github.com/nodejs-private/node-private/pull/796
Commits
- [
8f9ba3f623] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
97fc9b0eb7] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#792 - [
14fbbb510c] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802 - [
1febc48d5b] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 - [
494f62dc23] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
d7a5c587c0] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
51f4de4b4a] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759 - [
85f73e7057] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796