Change8

v26.3.1

📦 node-jsView on GitHub →
🐛 11 fixes🔧 8 symbols

Summary

This is a security release addressing multiple high and medium severity vulnerabilities across TLS, crypto, HTTP/2, DNS, and permission handling modules. Key fixes involve input validation and boundary checks to prevent potential exploits.

🐛 Bug Fixes

  • tls: normalize hostname for server identity checks to address CVE-2026-48618.
  • crypto: guard WebCrypto cipher output length to address CVE-2026-48933.
  • lib,test: redact proxy credentials in tunnel errors to address CVE-2026-48615.
  • http2: cap originSet size to prevent unbounded memory growth to address CVE-2026-48619.
  • tls: fix case-sensitive SNI context matching to address CVE-2026-48928.
  • dns,net: reject hostnames with embedded NUL bytes to address CVE-2026-48930.
  • tls: bind reusable sessions to authenticated host to address CVE-2026-48934.
  • permission: handle process.chdir on writereport to address CVE-2026-48617.
  • http: fix response queue poisoning in http.Agent to address CVE-2026-48931.
  • permission: disable FileHandle utimes with permission model to address CVE-2026-48935.
  • permission: guard pipe open and chmod with net scope to address CVE-2026-48936.

Affected Symbols