v20.20.2
📦 node-jsView on GitHub →
🐛 7 fixes🔧 5 symbols
Summary
This is a security release addressing multiple CVEs related to hash collisions, timing attacks, file system permissions, and error handling. Dependencies like V8 and undici were also updated.
🐛 Bug Fixes
- Fixed array index hash collision vulnerability (CVE-2026-21717).
- Used timing-safe comparison in Web Cryptography HMAC and KMAC to mitigate timing attacks (CVE-2026-21713).
- Used null prototype for headersDistinct/trailersDistinct in http module (CVE-2026-21710).
- Included permission check on lib/fs/promises (CVE-2026-21716).
- Added permission check to realpath.native (CVE-2026-21715).
- Handled NGHTTP2_ERR_FLOW_CONTROL error code (CVE-2026-21714).
- Wrapped SNICallback invocation in try/catch in tls module (CVE-2026-21637).