nodejs/node v22.13.1

2025-01-21, Version 22.13.1 'Jod' (LTS), @RafaelGSS

on GitHub

This is a security release.

Notable Changes

• CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
• CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
• CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

• CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits

• [520da342e0] - (CVE-2025-22150) deps: update undici to v6.21.1 (Matteo Collina) nodejs-private/node-private#662
• [99f217369f] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555
• [984f735e35] - (CVE-2025-23085) src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS) nodejs-private/node-private#650
• [2446870618] - (CVE-2025-23083) src,loader,permission: throw on InternalWorker use (RafaelGSS) nodejs-private/node-private#651