Node.js Releases Critical Security Updates to Address Multiple Vulnerabilities
On January 13, 2026, the Node.js project announced the release of critical security updates across all active versions, addressing seven vulnerabilities that could lead to memory leaks, denial-of-service (DoS) attacks, and permission bypasses. These updates are crucial for maintaining the security and stability of applications built on Node.js.
High-Severity Vulnerabilities
Three high-severity vulnerabilities have been identified and patched in this release:
1. CVE-2025-55131: Uninitialized Memory Exposure in Buffer Allocation
This vulnerability arises from a race condition in the `vm` module, leading to the exposure of uninitialized memory during buffer allocation. Attackers could exploit this flaw to leak sensitive information, such as tokens or passwords, from the memory. The issue affects Node.js versions 20.x, 22.x, 24.x, and 25.x.
2. CVE-2025-55130: Symlink Bypass of Filesystem Permissions
In this case, symlink attacks can circumvent filesystem permission flags like `–allow-fs-read`, enabling unauthorized access to arbitrary files. This vulnerability impacts Node.js versions 20.x, 22.x, 24.x, and 25.x.
3. CVE-2025-59465: HTTP/2 Server Crash via Malformed HEADERS Frames
A flaw in the handling of malformed HEADERS frames in HTTP/2 servers can trigger unhandled `TLSSocket` errors, leading to remote DoS attacks. This vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x.
Medium-Severity Vulnerabilities
Four medium-severity vulnerabilities have also been addressed:
1. CVE-2025-59466: Uncatchable Stack Overflow Errors via `async_hooks`
The `async_hooks` module can cause stack overflow errors that bypass error handlers, potentially leading to DoS conditions. This issue affects Node.js versions 20.x, 22.x, 24.x, and 25.x.
2. CVE-2025-59464: Memory Leak in TLS Client Certificate Processing
A memory leak occurs during the processing of TLS client certificates due to improper handling of UTF-8 conversions in OpenSSL. This vulnerability impacts Node.js versions 20.x, 22.x, 24.x, and 25.x.
3. CVE-2026-21636: Unix Domain Sockets Bypass Network Permissions
In the experimental model of Node.js version 25.x, Unix Domain Sockets can bypass network permissions, potentially allowing unauthorized network access.
4. CVE-2026-21637: TLS PSK/ALPN Callback Exceptions Leading to DoS or File Descriptor Leaks
Exceptions thrown in TLS PSK/ALPN callbacks can crash servers or cause file descriptor leaks, affecting all Node.js versions with PSK/ALPN enabled.
Low-Severity Vulnerability
Additionally, a low-severity vulnerability has been patched:
– CVE-2025-55132: `fs.futimes()` Modifies Timestamps Without Write Permissions
The `fs.futimes()` function can alter file timestamps without requiring write permissions, undermining read-only isolation in permission models. This issue affects Node.js versions 20.x through 25.x.
Recommendations for Node.js Users
To mitigate these vulnerabilities, users are strongly encouraged to upgrade to the latest patched versions:
– Node.js 20.20.0
– Node.js 22.22.0
– Node.js 24.13.0
– Node.js 25.3.0
These updates are available through standard distribution channels. The Node.js team emphasizes the importance of prompt upgrades, especially for production environments utilizing HTTP/2 servers and permission-enabled configurations.
The Node.js project acknowledges the contributions of multiple researchers in identifying and reporting these vulnerabilities, highlighting the collaborative effort to enhance the security of the Node.js ecosystem.
