The Wire · Showcase
NODE SHIPS FIVE SECURITY PATCHES OVERNIGHT, CLOSES CRITICAL TLS AND HTTP/2 HOLES
By RepoJournal · Filed · About Node.js
Five CVEs landed in the private repo with fixes for TLS hostname normalization, HTTP/2 memory exhaustion, SNI bypass, proxy credential leaks, and process.chdir permission handling - all merged and ready for release.
The security desk shipped a coordinated batch of fixes that close serious attack vectors in core protocols. A TLS hostname normalization bug [5] in server identity checks is patched alongside a case-sensitive SNI context matching vulnerability [8] that allowed mTLS bypass via uppercasing - both violations of RFC 6066. HTTP/2 clients now cap originSet at 128 entries to prevent unbounded memory growth from malicious servers [7]. Proxy credentials are redacted from tunnel errors [6] instead of leaking in stack traces, and process.chdir permission handling is hardened [4]. Meanwhile, the release desk published blog posts for three stable releases: v26.3.1 [1], v24.17.0 [2], and v22.23.0 [3]. On the undici front, two critical stream bugs landed: response chunks after stream destruction no longer crash with null reference errors [9], and multi-byte UTF-8 sequences in setEncoding() are now properly decoded [10] instead of corrupting CJK characters and emoji at chunk boundaries.
Action items
- → Review the five security patches immediately - all CVEs are in production scope nodejs/node [immediate]
- → Upgrade undici to pull in the stream destruction and UTF-8 decoding fixes before next release nodejs/undici [immediate]
- → Monitor the three stable releases for any build or deployment issues nodejs/nodejs.org [plan]
References
- [1] feat(blog): create post for v26.3.1 ↗ nodejs/nodejs.org
- [2] feat(blog): create post for v24.17.0 ↗ nodejs/nodejs.org
- [3] feat(blog): create post for v22.23.0 ↗ nodejs/nodejs.org
- [4] permission: handle process.chdir on writereport nodejs/node
- [5] tls: normalize hostname for server identity checks nodejs/node
- [6] lib,test: redact proxy credentials in tunnel errors nodejs/node
- [7] http2: cap originSet size to prevent unbounded memory growth nodejs/node
- [8] tls: fix case-sensitive SNI context matching nodejs/node
- [9] fix: drop response chunks after the response stream is destroyed (#5356) (#5357) nodejs/undici
- [10] fix: handle incomplete multi-byte UTF-8 sequences in setEncoding() ↗ nodejs/undici
FAQ
- What changed in Node.js on June 18, 2026?
- Five CVEs landed in the private repo with fixes for TLS hostname normalization, HTTP/2 memory exhaustion, SNI bypass, proxy credential leaks, and process.chdir permission handling - all merged and ready for release.
- What should Node.js teams do about it?
- Review the five security patches immediately - all CVEs are in production scope • Upgrade undici to pull in the stream destruction and UTF-8 decoding fixes before next release • Monitor the three stable releases for any build or deployment issues
- Which Node.js repositories shipped on June 18, 2026?
- nodejs/nodejs.org, nodejs/node, nodejs/undici