Node.js 24.4.1 has been released and includes fixes for CVE-2025-27209 and CVE-2025-27210, including reverting rapidhash commits and handling Windows device names, and bypassing path traversal protection.
Node.js — Node v24.4.1 (Current)
This is a security release.
Notable Changes
- (CVE-2025-27209) HashDoS in V8 with new RapidHash algorithm
- (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
Commits
- [
c33223f1a5] - (CVE-2025-27209) deps: V8: revert rapidhash commits (Michaël Zasso) nodejs-private/node-private#713- [
56f9db2aaa] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721
