v24.17.0
📦 node-jsView on GitHub →
🐛 11 fixes🔧 12 symbols
Summary
This is a security release addressing multiple high and medium severity CVEs across TLS, crypto, HTTP/2, and DNS modules. It also includes dependency upgrades for nghttp2, llhttp, openssl, and undici.
Migration Steps
- Update dependency nghttp2 to version 1.69.0 (SEMVER-MAJOR).
🐛 Bug Fixes
- (CVE-2026-48618) tls: normalize hostname for server identity checks.
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length.
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors.
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth.
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching.
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes.
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host.
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2.
- (CVE-2026-48617) permission: handle process.chdir on writereport.
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent.
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model.