(Update 7-December-2017) Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. In addition the updates for 8.X and 9.X include a fix for a low severity buffer vulnerability as describe below. We recommend Read more…
(Update 8-Nov-2017) Node.js Releases Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release procedures. While we don’t consider OpenSSL 1.0.2m a critical Read more…
(Update 24-October-2017) Releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. We recommend that all users upgrade as soon as possible. Downloads Node.js v8 (Current) Node.js v6 (LTS “Boron”) Node.js v4 (LTS “Argon”) Node.js-specific Read more…
Path Validation Vulnerability (Updated 29-September-2017 – CVE assigned) The Node.js project released a new version of 8.x this week which incorporates a security fix. Impact Version 8.5.0 of Node.js is vulnerable. 4.x and 6.x versions are NOT vulnerable. Downloads Node.js 8 (Current) Node.js-specific security flaws Node.js version 8.5.0 included a Read more…
(Update 12-June-2018) Security releases available Summary Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement (below). We recommend that all users upgrade as soon as possible. Downloads & release details Node.js 10.4.1 (Current) Node.js 9.11.2 Node.js 8.11.3 Read more…
(Update 4-Jan-2021) Security releases available Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues. In addition to the vulnerabilities listed below, these releases also include an update to npm in order to resolve an issue that was reported against npm by security Read more…
(Update 16-Nov-2020) Security releases available Updates are now available for v12.x, v14.x and v15.x Node.js release lines for the following issues. Denial of Service through DNS request (CVE-2020-8277) A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial Read more…
(Update 15-Sept-2020) Security releases available Updates are now available for v10,x, v12.x and v14.x Node.js release lines for the following issues. HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201) Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Read more…
(Update 2-June-2020) Security releases available Updates are now available for all supported Node.js release lines for the following issues. TLS session reuse can lead to host certificate verification bypass (High) (CVE-2020-8172) The ‘session’ event could be emitted before the ‘secureConnect’ event. It should not be, because the connection may fail Read more…
Update The OpenSSL project has released a description of the issue fixed in the OpenSSL 1.1.1g update. It only affects a function which is not called by Node.js (or its dependencies), and as such, does not affect Node.js. No Node.js security releases are required. For more information, see the OpenSSL Read more…
