Node.js Patches High-Severity Vulnerabilities and Shifts to Single Annual Release Model

9 min read
Node.js Patches High-Severity Vulnerabilities and Shifts to Single Annual Release Model
TL;DR

TL;DR: The Node.js project issued coordinated security releases on June 18, 2026 for all three active release lines (22.x, 24.x, and 26.x), patching 12 vulnerab…

Lead Paragraph

REMOTE — The Node.js Technical Steering Committee (TSC) and the Node.js Security Working Group issued simultaneous security releases on June 18, 2026, targeting all three actively maintained release lines: Node.js 22.x (LTS), Node.js 24.x, and Node.js 26.x (Current). The patch bundle addressed 12 discrete vulnerabilities spanning the WebCrypto subsystem, HTTP parser, TLS negotiation layers, and the experimental permission model. In a companion announcement, the Node.js project confirmed a major shift in its release governance model, moving from bi-annual major releases to a single annual April release cadence beginning with Node.js 27.

What Happened

The June 2026 patch release is one of the largest coordinated security updates the Node.js project has issued across active release lines. The security bulletin identified:

  • 12 Vulnerabilities Patched: Spanning CVE severity classifications from Medium to High across all maintained branches.
  • WebCrypto Denial-of-Service (High Severity): A crafted call to certain SubtleCrypto API methods with oversized or malformed key data could cause the V8 engine's WebCrypto implementation to enter an infinite loop, consuming 100% CPU and blocking the event loop.
  • TLS Hostname Normalization Bypass (High Severity): Inconsistency in how Node.js normalized hostnames before TLS certificate validation allowed certain Unicode-encoded hostnames to bypass checkServerIdentity verification.
  • Permission Model Escape (Medium Severity): A path traversal issue in the experimental --experimental-permission flag allowed reads outside the allowed path scope via certain symlink patterns.

Deep Dive: WebCrypto Denial-of-Service Vulnerability

The WebCrypto vulnerability is the most critical patch in this release. Node.js ships with a built-in crypto.subtle API that wraps V8's native WebCrypto implementation. The bug manifested when an attacker sent a crafted key derivation request using importKey with a specifically sized buffer that triggered a looping condition in the HKDF implementation.

A minimal vulnerable code pattern affected by the now-patched issue:

const { webcrypto } = require('crypto');

// Prior to the patch: this crafted buffer caused an infinite loop on
// specific Node.js versions (22.x < 22.14.2, 24.x < 24.4.1, 26.x < 26.1.0)
// DO NOT RUN ON UNPATCHED SYSTEMS
const malformedKeyMaterial = Buffer.alloc(16383); // Specific boundary size

webcrypto.subtle.importKey(
  'raw',
  malformedKeyMaterial,
  { name: 'HKDF' },
  false,
  ['deriveKey', 'deriveBits']
).then(() => {
  console.log('Key imported successfully');
}).catch((err) => {
  // Vulnerable versions never reach this handler
  console.error('Import failed:', err.message);
});

The Fix: The Node.js team patched the buffer boundary check in the V8 WebCrypto binding layer. Production systems should update immediately. Affected version ranges include 22.x before 22.14.2, 24.x before 24.4.1, and 26.x before 26.1.0.

TLS Hostname Normalization Attack Flow

The TLS hostname normalization vulnerability is particularly significant for servers accepting connections from clients that may use Internationalized Domain Names (IDNs).

TLS hostname normalization attack flow diagram
Figure 1: How the TLS hostname normalization bypass enabled a man-in-the-middle attack path on vulnerable Node.js versions prior to the June 2026 patch.

Under the pre-patch behavior, Node.js's checkServerIdentity function compared the server certificate's Subject Alternative Names (SANs) against the requested hostname. However, when hostnames contained specific Unicode characters that Unicode-normalize to ASCII equivalents differently between Node.js and the underlying libuv networking layer, the comparison failed silently and allowed a certificate mismatch to pass validation.

Vulnerable Scenario: An attacker controlling a server with a certificate for xn--nds.example.com could intercept connections from clients resolving nds.example.com if the Unicode normalization path was triggered. This affected HTTPS agents, node:https module requests, and third-party HTTP clients built on Node.js core.

The Fix: The patch standardizes hostname normalization to occur before any comparison call in checkServerIdentity, ensuring that the IDN-encoded and decoded forms are resolved to the same canonical ASCII representation before the certificate SAN match is attempted.

Major Governance Change: Annual Release Model from Node.js 27

Alongside the security release, the Node.js Technical Steering Committee published a formal governance proposal that has been ratified: starting with Node.js 27, the project will move to a single annual major release each April.

Node.js annual release lifecycle roadmap timeline
Figure 2: The new Node.js annual major release lifecycle, showing April major releases, October LTS entry, and three-year LTS support windows starting from Node.js 27.

Under the previous model, Node.js released two major versions per year (one in April, one in October), alternating between "Current" and "LTS" tracks. This led to confusion for enterprise teams who found it difficult to track upgrade cadences and allocate testing resources.

The new model simplifies this significantly:

MilestoneMonth
Major ReleaseApril
LTS DesignationOctober
Active LTS Support3 years from October
End of Life6 months after Active LTS
This aligns Node.js with a more predictable enterprise upgrade cycle. Teams running LTS versions will now have a clear three-year window before a mandatory upgrade, removing the pressure of bi-annual major version jumps.

Update Versions

Developers should update to the following patched releases immediately:

Release LineVulnerable BeforePatched Version
Node.js 22.x (LTS)22.14.122.14.2
Node.js 24.x24.4.024.4.1
Node.js 26.x (Current)26.0.126.1.0
To update via the Node Version Manager (nvm):
# Update to patched Node.js 22.x LTS
nvm install 22.14.2
nvm use 22.14.2

# Verify the installed version
node --version

# Check the installed OpenSSL binding for TLS hardening
node -e "console.log(process.versions.openssl)"

To check if your current installation is affected:

# Check current Node.js version
node --version

# For Docker-based deployments, update the base image tag
# FROM node:22.14.2-alpine
# FROM node:24.4.1-slim
# FROM node:26.1.0-alpine

What to Watch Next

  • Dependency Audit: Review all third-party packages in your dependency tree that invoke crypto.subtle or establish TLS connections. Libraries like node-fetch, axios, and undici all rely on the underlying Node.js TLS stack.
  • Permission Model Maturity: The path traversal escape in the experimental permission model is a reminder that --experimental-permission is not yet production-hardened for adversarial environments.
  • Node.js 27 Timeline: Watch for the first release candidate of Node.js 27 in Q1 2027, which will be the first version to follow the new annual release model.
For a deeper look at the performance implications of the V8 JIT changes that have been discussed alongside these patches, see the analysis of Node.js 26 Rust JIT Proposal and the JITless V8 Overhead discussion.

Read the full security advisory on the Node.js Official Blog → Node.js Vulnerability Blog

Key Takeaways

  • Patch Now: All active release lines have patched 12 vulnerabilities, including two high-severity issues in WebCrypto and TLS.
  • WebCrypto Hang Fixed: A malformed importKey call could cause the event loop to block indefinitely on unpatched versions.
  • TLS Bypass Closed: Unicode hostname normalization inconsistencies allowed certificate validation to be bypassed in specific attack scenarios.
  • Annual Release Model Confirmed: Starting with Node.js 27, one major version will be released every April, with LTS entry each October.
  • Enterprise Stability: The new cadence gives teams a predictable three-year LTS window per major version.

FAQ

Disseminate Knowledge

Broadcast this intelligence

Copy Permanent Link

Want to work together?

Technical and delivery consulting for engineering leaders — diagnostics, agentic AI, and transformation with measurable outcomes.