This is a security release.
Notable Changes
lib:
- (CVE-2025-59465) add TLSSocket default error handler
- (CVE-2025-55132) disable futimes when permission model is enabled
lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
tls: - (CVE-2026-21637) route callback exceptions through error handlers
Commits
- [
6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791 - [
eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 - [
ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 - [
6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759 - [
25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796