v24.14.1

📅 Mar 24, 2026📦 node-jsView on GitHub →

🐛 8 fixes🔧 5 symbols

Summary

This is a security release addressing multiple high, medium, and low severity vulnerabilities through various fixes including prototype manipulation, cryptographic comparisons, error handling, and permission checks.

🐛 Bug Fixes

(CVE-2026-21710) Use null prototype for headersDistinct/trailersDistinct to mitigate security risk.
(CVE-2026-21637) Wrap SNICallback invocation in try/catch to prevent crashes.
(CVE-2026-21717) Fix for array index hash collision vulnerability.
(CVE-2026-21713) Use timing-safe comparison in Web Cryptography HMAC and KMAC.
(CVE-2026-21714) Handle NGHTTP2_ERR_FLOW_CONTROL error code.
(CVE-2026-21712) Handle URL crash when processing different URL formats.
(CVE-2026-21716) Include permission check on lib/fs/promises.
(CVE-2026-21715) Add permission check to realpath.native.

Affected Symbols

headersDistinct trailersDistinct SNICallback lib/fs/promises realpath.native