Node.js Patches High-Severity Vulnerabilities and Shifts to Single Annual Release Model
By Vatsal Shah | June 18, 2026 | 7 min read | Source: Node.js Official Blog
- 12 CVEs Patched: All active release lines (22.x, 24.x, 26.x) received simultaneous security updates covering cryptographic, networking, and runtime flaws.
- WebCrypto DoS Patched: A high-severity vulnerability in the built-in WebCrypto API allowed crafted inputs to cause the process to hang indefinitely.
- TLS Hostname Normalization Fixed: A bypass in TLS hostname verification could allow attackers to perform man-in-the-middle interceptions on misconfigured servers.
- Annual Release Model: From Node.js 27, major versions will be released once per year in April, entering LTS in October.
Lead Paragraph
REMOTE — The Node.js Technical Steering Committee (TSC) and the Node.js Security Working Group issued simultaneous security releases on June 18, 2026, targeting all three actively maintained release lines: Node.js 22.x (LTS), Node.js 24.x, and Node.js 26.x (Current). The patch bundle addressed 12 discrete vulnerabilities spanning the WebCrypto subsystem, HTTP parser, TLS negotiation layers, and the experimental permission model. In a companion announcement, the Node.js project confirmed a major shift in its release governance model, moving from bi-annual major releases to a single annual April release cadence beginning with Node.js 27.
What Happened
The June 2026 patch release is one of the largest coordinated security updates the Node.js project has issued across active release lines. The security bulletin identified:
- 12 Vulnerabilities Patched: Spanning CVE severity classifications from Medium to High across all maintained branches.
- WebCrypto Denial-of-Service (High Severity): A crafted call to certain
SubtleCryptoAPI methods with oversized or malformed key data could cause the V8 engine's WebCrypto implementation to enter an infinite loop, consuming 100% CPU and blocking the event loop. - TLS Hostname Normalization Bypass (High Severity): Inconsistency in how Node.js normalized hostnames before TLS certificate validation allowed certain Unicode-encoded hostnames to bypass
checkServerIdentityverification. - Permission Model Escape (Medium Severity): A path traversal issue in the experimental
--experimental-permissionflag allowed reads outside the allowed path scope via certain symlink patterns.
Deep Dive: WebCrypto Denial-of-Service Vulnerability
The WebCrypto vulnerability is the most critical patch in this release. Node.js ships with a built-in crypto.subtle API that wraps V8's native WebCrypto implementation. The bug manifested when an attacker sent a crafted key derivation request using importKey with a specifically sized buffer that triggered a looping condition in the HKDF implementation.
A minimal vulnerable code pattern affected by the now-patched issue:
const { webcrypto } = require('crypto039;);
// Prior to the patch: this crafted buffer caused an infinite loop on
// specific Node.js versions (22.x < 22.14.2, 24.x < 24.4.1, 26.x < 26.1.0)
// DO NOT RUN ON UNPATCHED SYSTEMS
const malformedKeyMaterial = Buffer.alloc(16383); // Specific boundary size
webcrypto.subtle.importKey(
'raw039;,
malformedKeyMaterial,
{ name: 'HKDF039; },
false,
['deriveKey039;, 039;deriveBits039;]
).then(() => {
console.log('Key imported successfully039;);
}).catch((err) => {
// Vulnerable versions never reach this handler
console.error('Import failed:039;, err.message);
});
The Fix: The Node.js team patched the buffer boundary check in the V8 WebCrypto binding layer. Production systems should update immediately. Affected version ranges include 22.x before 22.14.2, 24.x before 24.4.1, and 26.x before 26.1.0.
TLS Hostname Normalization Attack Flow
The TLS hostname normalization vulnerability is particularly significant for servers accepting connections from clients that may use Internationalized Domain Names (IDNs).
Under the pre-patch behavior, Node.js's checkServerIdentity function compared the server certificate's Subject Alternative Names (SANs) against the requested hostname. However, when hostnames contained specific Unicode characters that Unicode-normalize to ASCII equivalents differently between Node.js and the underlying libuv networking layer, the comparison failed silently and allowed a certificate mismatch to pass validation.
Vulnerable Scenario: An attacker controlling a server with a certificate for xn--nds.example.com could intercept connections from clients resolving nds.example.com if the Unicode normalization path was triggered. This affected HTTPS agents, node:https module requests, and third-party HTTP clients built on Node.js core.
The Fix: The patch standardizes hostname normalization to occur before any comparison call in checkServerIdentity, ensuring that the IDN-encoded and decoded forms are resolved to the same canonical ASCII representation before the certificate SAN match is attempted.
Major Governance Change: Annual Release Model from Node.js 27
Alongside the security release, the Node.js Technical Steering Committee published a formal governance proposal that has been ratified: starting with Node.js 27, the project will move to a single annual major release each April.
Under the previous model, Node.js released two major versions per year (one in April, one in October), alternating between "Current" and "LTS" tracks. This led to confusion for enterprise teams who found it difficult to track upgrade cadences and allocate testing resources.
The new model simplifies this significantly:
| Milestone | Month |
|---|---|
| Major Release | April |
| LTS Designation | October |
| Active LTS Support | 3 years from October |
| End of Life | 6 months after Active LTS |
This aligns Node.js with a more predictable enterprise upgrade cycle. Teams running LTS versions will now have a clear three-year window before a mandatory upgrade, removing the pressure of bi-annual major version jumps.
Update Versions
Developers should update to the following patched releases immediately:
| Release Line | Vulnerable Before | Patched Version |
|---|---|---|
| Node.js 22.x (LTS) | 22.14.1 | 22.14.2 |
| Node.js 24.x | 24.4.0 | 24.4.1 |
| Node.js 26.x (Current) | 26.0.1 | 26.1.0 |
To update via the Node Version Manager (nvm):
class="tok-cm"># Update to patched Node.js 22.x LTS
nvm install 22.14.2
nvm use 22.14.2
class="tok-cm"># Verify the installed version
node --version
class="tok-cm"># Check the installed OpenSSL binding for TLS hardening
node -e class="tok-str">"console.log(process.versions.openssl)"
To check if your current installation is affected:
class="tok-cm"># Check current Node.js version
node --version
class="tok-cm"># For Docker-based deployments, update the base image tag
class="tok-cm"># FROM node:22.14.2-alpine
class="tok-cm"># FROM node:24.4.1-slim
class="tok-cm"># FROM node:26.1.0-alpine
What to Watch Next
- Dependency Audit: Review all third-party packages in your dependency tree that invoke
crypto.subtleor establish TLS connections. Libraries likenode-fetch,axios, andundiciall rely on the underlying Node.js TLS stack. - Permission Model Maturity: The path traversal escape in the experimental permission model is a reminder that
--experimental-permissionis not yet production-hardened for adversarial environments. - Node.js 27 Timeline: Watch for the first release candidate of Node.js 27 in Q1 2027, which will be the first version to follow the new annual release model.
For a deeper look at the performance implications of the V8 JIT changes that have been discussed alongside these patches, see the analysis of Node.js 26 Rust JIT Proposal and the JITless V8 Overhead discussion.
Read the full security advisory on the Node.js Official Blog → Node.js Vulnerability Blog
Key Takeaways
- Patch Now: All active release lines have patched 12 vulnerabilities, including two high-severity issues in WebCrypto and TLS.
- WebCrypto Hang Fixed: A malformed
importKeycall could cause the event loop to block indefinitely on unpatched versions. - TLS Bypass Closed: Unicode hostname normalization inconsistencies allowed certificate validation to be bypassed in specific attack scenarios.
- Annual Release Model Confirmed: Starting with Node.js 27, one major version will be released every April, with LTS entry each October.
- Enterprise Stability: The new cadence gives teams a predictable three-year LTS window per major version.