v20.19.2
Breaking Changes📦 node-jsView on GitHub →
⚠ 2 breaking🐛 4 fixes🔧 5 symbols
Summary
This security release addresses multiple vulnerabilities (CVE-2025-23166, CVE-2025-23167, CVE-2025-23165, CVE-2024-27982) by updating the llhttp parser and fixing critical issues in the crypto and fs modules.
⚠️ Breaking Changes
- The update to llhttp 9.2.0 is marked as SEMVER-MAJOR and may introduce breaking changes in HTTP parsing behavior.
- OBS (Obsolete Line Folding) in HTTP headers is now disallowed by default (CVE-2024-27982).
Migration Steps
- Update Node.js to the latest version to apply security patches.
- Verify that incoming HTTP requests do not rely on Obsolete Line Folding (OBS fold) in headers, as these will now be rejected by default.
- Test HTTP parsing logic against the new llhttp 9.2.0 requirements.
🐛 Bug Fixes
- Fixed error handling on async crypto operations (CVE-2025-23166).
- Added missing call to uv_fs_req_cleanup in the fs module to prevent resource leaks (CVE-2025-23165).
- Updated llhttp to 9.2.0 to address security vulnerabilities (CVE-2025-23167).
- Disallowed OBS fold in headers by default to improve security (CVE-2024-27982).