Node.js Security Updates Released for v25, v24, v22, and v20

Node.js released security updates on January 13, 2026, patching critical vulnerabilities across versions 20, 22, 24, and 25 that could enable memory leaks, denial-of-service attacks, and permission bypasses. All four active release lines received patches, making this one of the broadest security updates in recent Node.js history.

Permission Model Vulnerabilities

CVE-2025-55132 allows the fs.futimes() function to modify file timestamps without write permissions, undermining read-only isolation in the permission model across all affected versions. Additionally, CVE-2026-21636 enables bypassing network permissions using Unix Domain Sockets in the experimental v25 permission model. Both vulnerabilities highlight the ongoing challenge of securing Node.js's relatively new permission system.

HTTP/2 Denial of Service

A vulnerability affecting HTTP/2 implementations allows malformed HEADERS frames with oversized, invalid HPACK data to crash Node.js by triggering an unhandled TLSSocket error with the ECONNRESET code. This enables remote attackers to perform denial-of-service attacks against vulnerable servers without authentication, making it particularly dangerous for public-facing HTTP/2 services.

Recommendations

CVE-2026-21637 allows TLS PSK/ALPN callbacks to throw exceptions, which can crash servers or leak file descriptors in production environments. Node.js encourages users to upgrade immediately, especially for production HTTP/2 servers and environments using the permission model. Updated versions are available for all four release lines through the standard distribution channels.