RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

Topics: JavaScript Full archive →

The Wire · Showcase

HTTP2 HEAP-USE-AFTER-FREE FIX LANDS IN NODE CORE

By RepoJournal · Filed · About Node.js

Node shipped a critical fix for a heap-use-after-free vulnerability in HTTP/2 stream handling that could crash servers under specific receive-and-send patterns.

The HTTP/2 team patched a nasty UAF in nghttp2_session_mem_recv() where RST_STREAM frames were being processed while nghttp2 was still iterating over streams [1]. The fix defers RST_STREAM handling until receive operations complete, preventing the session from closing streams that the underlying library is still touching. This is the kind of subtle memory safety issue that can stay dormant for years then explode under load. Beyond core, the team also landed documentation improvements covering TLS alpnProtocol and servername fields [2], finally giving these long-present properties the explicit coverage they deserved. Minor hygiene work continues across the codebase with comment and doc typo corrections [3] [4]. The nightly build pipeline remains active [5].

Action items

References

  1. [1] http2: avoid uaf while receiving and sending rst_stream ↗ nodejs/node
  2. [2] doc: document TLS alpnProtocol and servername fields ↗ nodejs/node
  3. [3] src: fix comment typos nodejs/node
  4. [4] doc: fix typos in contributing docs nodejs/node
  5. [5] snap: (auto) updated to 27.0.0-nightly20260718b8f81e9760 nodejs/snap

Quick answers

What shipped in Node.js on July 18, 2026?
Node shipped a critical fix for a heap-use-after-free vulnerability in HTTP/2 stream handling that could crash servers under specific receive-and-send patterns. In total, 12 commits and 8 pull requests landed.
Who contributed to Node.js on July 18, 2026?
6 developers shipped this update, including GitHub Actions, Eusgor, Jungwon Sohn, Donghoon Kang, pimterry, and Node.js GitHub Bot.
What were the notable Node.js updates?
http2: avoid uaf while receiving and sending rst_stream, doc: document TLS alpnProtocol and servername fields, and src: fix comment typos.

More from @nodejs

Daily updates, in your inbox

Follow Node.js

The Node.js runtime — every backend team's CVE source of truth We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire