Node.js 25.3.0 has been released with a focus on security improvements to address critical vulnerabilities and enhance user safety. This update includes several key changes, such as a new default error handler for TLSSocket connections, improved network checks during pipe_wrap connect operations, and enhanced handling of symlink APIs and permission models. Additionally, the update ditches the zero-fill toggle mechanism for buffer creation and reworks exception handling for stack overflows within async_hooks. Overall, Node.js 25.3.0 is a security-focused release that aims to plug specific holes and improve overall safety across the platform.

Node.js 25.3.0 (Current) released

Node.js 25.3.0 has shipped recently as a notable security-focused release.

The primary focus of this update was tackling critical vulnerabilities and strengthening user safety significantly. One key improvement is a new default error handler for TLSSocket connections. This change comes from RafaelGSS's work in issue #750 and addresses CVE-2025-59465.

Another security enhancement deals with network checks during pipe_wrap connect operations (CVE-2026-21636). Again, RafaelGSS contributed this correction via pull request #784. The goal here is preventing malicious stuff.

Beyond that, other important updates were made to shore up defenses related to symlink APIs and permission models. In particular, the handling of symlink operations now requires both read and write permissions (CVE-2025-55130), stemming from issue #760. This is a good security boost for those areas.

The recent update also includes changes regarding buffer creation. Node.js has ditched its zero-fill toggle mechanism to prevent creating unsafe buffers; that's CVE-2025-55131. Сковорода Никита Андреевич's refactor in pull request #759 makes this update happen.

Speaking of fixes, there was also a reworking of exception handling for stack overflows within async_hooks (CVE-2025-59466), based on Matteo Collina's work from issue #773. Plus, route callback exceptions are now better propagated through error handlers (CVE-2026-21637). That change resulted from Matteo Collina's pull request #790.

Under the hood, Node.js 25.3.0 updated c-ares to version 1.34.6 and undici to 7.18.2. The specific commits for these dependency upgrades are a6a74b89a7 (c-ares), 5100614e26 (undici), and f0a8916887.

So, Node.js 25.3.0 is out now, focused squarely on security fixes for this iteration. It's a solid update that enhances security measures across the entire platform. If you're already on the latest version, congratulations! But if your setup isn't current, catching up soon would be advisable given these updates are meant to plug specific holes and improve overall safety.

Node.js — Node.js 25.3.0 (Current)

Node.js is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js — Node.js 25.3.0 (Current)