v26.3.1
📦 node-jsView on GitHub →
🐛 11 fixes🔧 8 symbols
Summary
This is a security release addressing multiple high and medium severity vulnerabilities across TLS, crypto, HTTP/2, DNS, and permission handling modules. Key fixes involve input validation and boundary checks to prevent potential exploits.
🐛 Bug Fixes
- tls: normalize hostname for server identity checks to address CVE-2026-48618.
- crypto: guard WebCrypto cipher output length to address CVE-2026-48933.
- lib,test: redact proxy credentials in tunnel errors to address CVE-2026-48615.
- http2: cap originSet size to prevent unbounded memory growth to address CVE-2026-48619.
- tls: fix case-sensitive SNI context matching to address CVE-2026-48928.
- dns,net: reject hostnames with embedded NUL bytes to address CVE-2026-48930.
- tls: bind reusable sessions to authenticated host to address CVE-2026-48934.
- permission: handle process.chdir on writereport to address CVE-2026-48617.
- http: fix response queue poisoning in http.Agent to address CVE-2026-48931.
- permission: disable FileHandle utimes with permission model to address CVE-2026-48935.
- permission: guard pipe open and chmod with net scope to address CVE-2026-48936.