Node.js has released new long-term support (LTS) versions, including 24.13.0, 22.22.0, and 20.20.0, with a primary focus on addressing security concerns. These updates include fixes for various vulnerabilities, such as CVE-2025-59465 in TLS sockets and CVE-2025-55132 in futimes, which have been disabled under certain conditions to prevent exploits. Additionally, the release cycle has brought updates to dependencies like c-ares and undici, as well as improvements in handling permissions for symlinks, async_hooks stack overflow exceptions, and route callback errors. These security patches aim to ensure that problems are handled properly and unexpected situations can be caught and managed better.

Node.js 24.13.0 (LTS), 22.22.0 (LTS), and 20.20.0 (LTS) released

Node.js has released new long-term support (LTS) versions, including 24.13.0, 22.22.0, and 20.20.0. The primary focus of these updates is to address security concerns.

One change deals with TLS sockets specifically. There was a problem tracked as CVE-2025-59465, pointed out by RafaelGSS on GitHub. Node.js developers have added a default error handler for TLSSockets now. This ensures problems related to them get handled properly instead of causing weird behavior.

Another security update tackles futimes. There's a separate vulnerability (tracked as CVE-2025-55132) that shows up when the permission model is enabled. To fix this, developers have disabled futimes under those specific conditions entirely. This prevents certain kinds of exploits from getting a foothold.

For symlinks and their APIs, another change was needed to handle permissions correctly (tracked as CVE-2025-55130). Before, creating symlink files might not automatically set the right security flags, which could be risky. Now, it's required that all symlink creation calls include proper read/write restrictions upfront.

These are just two of the patches rolled into LTS; there was also work on async_hooks to fix stack overflow exceptions properly (CVE-2025-59466). That contribution from Matteo Collina ensures these errors get rethrown, so unexpected situations can be caught and managed better now. And independently, Сковорода Никита Андреевич refactored buffer creation code; this change removes a problematic zero-fill toggle (tracked as CVE-2025-55131).

Finally, route callback exceptions are handled more securely too (CVE-2026-21637). This was another fix from Matteo Collina. It just means ensuring these errors trigger properly through the error handling system.

Beyond pure security, this release cycle also brought updates to some dependencies like c-ares and undici across the board.

Node.js — Node.js 24.13.0 (LTS)

Node.js is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js — Node.js 24.13.0 (LTS)

Node.js — Node.js 22.22.0 (LTS)

Node.js is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js — Node.js 22.22.0 (LTS)

Node.js — Node.js 20.20.0 (LTS)

Node.js is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js — Node.js 20.20.0 (LTS)