RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

The Wire · Showcase

NODE SHIPS FIVE SECURITY PATCHES OVERNIGHT, CLOSES CRITICAL TLS AND HTTP/2 HOLES

By RepoJournal · Filed · About Node.js

Five CVEs landed in the private repo with fixes for TLS hostname normalization, HTTP/2 memory exhaustion, SNI bypass, proxy credential leaks, and process.chdir permission handling - all merged and ready for release.

The security desk shipped a coordinated batch of fixes that close serious attack vectors in core protocols. A TLS hostname normalization bug [5] in server identity checks is patched alongside a case-sensitive SNI context matching vulnerability [8] that allowed mTLS bypass via uppercasing - both violations of RFC 6066. HTTP/2 clients now cap originSet at 128 entries to prevent unbounded memory growth from malicious servers [7]. Proxy credentials are redacted from tunnel errors [6] instead of leaking in stack traces, and process.chdir permission handling is hardened [4]. Meanwhile, the release desk published blog posts for three stable releases: v26.3.1 [1], v24.17.0 [2], and v22.23.0 [3]. On the undici front, two critical stream bugs landed: response chunks after stream destruction no longer crash with null reference errors [9], and multi-byte UTF-8 sequences in setEncoding() are now properly decoded [10] instead of corrupting CJK characters and emoji at chunk boundaries.

Action items

References

  1. [1] feat(blog): create post for v26.3.1 ↗ nodejs/nodejs.org
  2. [2] feat(blog): create post for v24.17.0 ↗ nodejs/nodejs.org
  3. [3] feat(blog): create post for v22.23.0 ↗ nodejs/nodejs.org
  4. [4] permission: handle process.chdir on writereport nodejs/node
  5. [5] tls: normalize hostname for server identity checks nodejs/node
  6. [6] lib,test: redact proxy credentials in tunnel errors nodejs/node
  7. [7] http2: cap originSet size to prevent unbounded memory growth nodejs/node
  8. [8] tls: fix case-sensitive SNI context matching nodejs/node
  9. [9] fix: drop response chunks after the response stream is destroyed (#5356) (#5357) nodejs/undici
  10. [10] fix: handle incomplete multi-byte UTF-8 sequences in setEncoding() ↗ nodejs/undici

FAQ

What changed in Node.js on June 18, 2026?
Five CVEs landed in the private repo with fixes for TLS hostname normalization, HTTP/2 memory exhaustion, SNI bypass, proxy credential leaks, and process.chdir permission handling - all merged and ready for release.
What should Node.js teams do about it?
Review the five security patches immediately - all CVEs are in production scope • Upgrade undici to pull in the stream destruction and UTF-8 decoding fixes before next release • Monitor the three stable releases for any build or deployment issues
Which Node.js repositories shipped on June 18, 2026?
nodejs/nodejs.org, nodejs/node, nodejs/undici

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.