RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

The Wire · Showcase

UNDICI HTTP/2 CRASH FIXED, VM PROXY SANDBOX QUERIES CORRECTED

By RepoJournal · Filed · About Node.js

Undici shipped a critical fix for HTTP/2 multiplexing that was crashing processes when two requests shared a session, while Node core fixed vm sandboxes backed by Proxies to properly report property ownership.

The undici team patched a catastrophic bug [1] where rewinding kPendingIdx past nulled queue slots during HTTP/2 multiplexing would crash the entire process with a TypeError when Client[kDestroy] tried to error remaining requests. The root cause: when two requests multiplexed on one session, closing one stream before response headers would unconditionally reset kPendingIdx while the other request was still in flight, leaving a null slot that later crashed with Cannot read properties of null. This is a production blocker for anyone using HTTP/2 multiplexing in high-concurrency scenarios.

Node core fixed a separate but equally nasty issue [2] where vm contextify was using HasRealNamedProperty() instead of inspecting own property descriptors, making Proxy-backed sandboxes report false for hasOwnProperty, Object.hasOwn, in, and Reflect.has even when properties were actually readable. The fix updates the named property query path to see through Proxy objects, restoring correct property visibility semantics.

Undici also landed tighter cookie parsing [3] that now preserves values and parses SameSite strictly, plus cache header fixes [4] for qualified field name trimming. On the test side, Node marked SEA build tests flaky on linux arm debug [5] after observing SIGKILL crashes during ELF binary injection, and bumped OpenSSL to 3.5.7 [6] across all architectures.

Action items

References

  1. [1] fix(h2): do not rewind kPendingIdx past in-flight requests ↗ nodejs/undici
  2. [2] vm: fix property queries for proxy sandboxes ↗ nodejs/node
  3. [3] fix(cookies): preserve values and parse SameSite strictly nodejs/undici
  4. [4] fix(cache): trim qualified field names nodejs/undici
  5. [5] test: mark SEA tests flaky on linux arm debug ↗ nodejs/node
  6. [6] deps: update archs files for openssl-3.5.7 nodejs/node

FAQ

What changed in Node.js on June 12, 2026?
Undici shipped a critical fix for HTTP/2 multiplexing that was crashing processes when two requests shared a session, while Node core fixed vm sandboxes backed by Proxies to properly report property ownership.
What should Node.js teams do about it?
Update undici immediately if you use HTTP/2 multiplexing - this crashes production • Review vm Proxy-backed sandboxes if you rely on property queries - behavior changed • Expect SEA test noise on linux arm debug CI until stabilized
Which Node.js repositories shipped on June 12, 2026?
nodejs/undici, nodejs/node

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.