Node.js has issued multiple security updates, which encompass improvements in error handling for asynchronous crypto operations, an upgrade of llhttp to version 9.2.0, and the inclusion of a previously omitted call to uv_fs_req_cleanup. The updates are included in a comprehensive security update for Node v20.19.2, Node v22.15.1, Node v23.11.1, and Node v24.0.2.
Node.js — Node v20.19.2 (LTS)
This is a security release.
Notable Changes
- (CVE-2025-23166) fix error handling on async crypto operation
- (CVE-2025-23167) (SEMVER-MAJOR) update llhttp to 9.2.0
- (CVE-2025-23165) add missing call to uv_fs_req_cleanup
Node.js — Node v22.15.1 (LTS)
This is a security release.
Notable Changes
- (CVE-2025-23166) fix error handling on async crypto operation
- (CVE-2025-23165) add missing call to uv_fs_req_cleanup
Node.js — Node v23.11.1 (Current)
This is a security release.
Notable Changes
src:
- (CVE-2025-23166) fix error handling on async crypto operation
Node.js — Node v24.0.2 (Current)
This is a security release.
Notable Changes
- (CVE-2025-23166) fix error handling on async crypto operation
