v25.8.2
📦 node-jsView on GitHub →
🐛 9 fixes🔧 6 symbols
Summary
This is a security release addressing multiple high and medium severity CVEs related to prototype pollution, permission checks, and cryptographic comparisons.
🐛 Bug Fixes
- (CVE-2026-21637) wrap SNICallback invocation in try/catch.
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct to mitigate prototype pollution.
- (CVE-2026-21711) include permission check to pipe_wrap.cc.
- (CVE-2026-21712) handle url crash on different url formats.
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC.
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code.
- (CVE-2026-21717) test array index hash collision.
- (CVE-2026-21715) add permission check to realpath.native.
- (CVE-2026-21716) include permission check on lib/fs/promises.