v18.20.6

📅 Jan 21, 2025📦 node-jsView on GitHub →

🐛 3 fixes🔧 4 symbols

Summary

This security release addresses three medium-severity vulnerabilities (CVE-2025-23085, CVE-2025-23084, CVE-2025-22150) involving HTTP2 memory leaks, Windows path traversal, and undici fetch randomness.

Migration Steps

Update Node.js to the latest security release to patch CVE-2025-23085, CVE-2025-23084, and CVE-2025-22150.

🐛 Bug Fixes

CVE-2025-23085: Fixed a memory leak in HTTP2 occurring on premature connection close and ERR_PROTO errors.
CVE-2025-23084: Fixed a path traversal vulnerability in path.normalize() on Windows systems.
CVE-2025-22150: Fixed use of insufficiently random values in undici fetch() by updating the dependency.

Affected Symbols

path.normalize http2 fetch undici