Node.js issued critical security updates across its active release lines on January 13, 2026, patching vulnerabilities that could lead to memory leaks, denial-of-service attacks, and permission bypasses.
These releases address three high-severity flaws, among others, urging immediate upgrades for affected systems.
High Severity Vulnerabilities
High-severity issues dominate this release, with CVE-2025-55131 exposing uninitialized memory in Buffer.alloc and Uint8Array due to timeout races in the vm module, potentially leaking secrets like tokens.
CVE-2025-55130 allows symlink attacks to evade filesystem permission flags such as –allow-fs-read, enabling arbitrary file access. CVE-2025-59465 crashes HTTP/2 servers via malformed HEADERS frames, triggering unhandled TLSSocket errors for remote DoS.
| CVE ID | Severity | Description Summary | Affected Versions | Reporter/Fixer |
|---|---|---|---|---|
| CVE-2025-55131 | High | Buffer alloc race exposes prior data | 20.x,22.x,24.x,25.x | Nikita Skovoroda/RafaelGSS |
| CVE-2025-55130 | High | Symlink bypasses FS permissions | 20.x,22.x,24.x,25.x | natann/RafaelGSS |
| CVE-2025-59465 | High | HTTP/2 malformed frame causes server crash | 20.x,22.x,24.x,25.x | dantt/RafaelGSS |
Medium Severity Issues
Four medium vulnerabilities include CVE-2025-59466, where async_hooks make stack overflow errors uncatchable, bypassing handlers for DoS. CVE-2025-59464 leaks memory in TLS client certificate processing via OpenSSL UTF-8 conversions.
CVE-2026-21636 bypasses network permissions via Unix Domain Sockets in the experimental model on v25. CVE-2026-21637 lets TLS PSK/ALPN callbacks throw exceptions that crash servers or leak FDs.
| CVE ID | Severity | Description Summary | Affected Versions | Reporter/Fixer |
|---|---|---|---|---|
| CVE-2025-59466 | Medium | Uncatchable stack errors via async_hooks | 20.x,22.x,24.x,25.x | AndrewMacPherson/mcollina |
| CVE-2025-59464 | Medium | TLS cert memory leak | 20.x,22.x,24.x | giant_anteater/RafaelGSS |
| CVE-2026-21636 | Medium | UDS bypasses net permissions | 25.x | mufeedvh/RafaelGSS |
| CVE-2026-21637 | Medium | TLS callback exceptions cause DoS/FD leak | All with PSK/ALPN | 0xmaxhax/mcollina |
Low Severity Fix
CVE-2025-55132 allows fs.futimes() to modify timestamps without write permissions, undermining read-only isolation in permission models from v20 to v25.
Updates include c-ares 1.34.6 and undici (6.23.0 or 7.18.0) to address public vulnerabilities. New versions include Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, available via standard channels.
Node.js urges users to prioritize upgrades, especially for production HTTP/2 servers and permission-enabled environments, as end-of-life branches remain exposed.
The Node.js team credits multiple researchers for disclosures, emphasizing community collaboration in securing the ecosystem. Multiple postponements ensured thorough testing before today’s rollout.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
