Node.js January 13, 2026 security releases fix multiple high‑severity runtime and permission flaws

ReactNode.jsDevOps

TL;DR — The Node.js project published coordinated security releases on January 13, 2026 for active release lines (20.x, 22.x, 24.x, 25.x). The fixes include three high‑severity CVEs (notably a buffer allocation race that can expose uninitialized memory and a crafted symlink bypass of the permission model), plus multiple medium/low issues affecting HTTP/2, TLS callback handling, Unix Domain Socket permission checks and more. Upgrading to the patched builds and validating isolation/error-handling codepaths should be treated as an urgent operational task. (nodejs.org)

What landed (short)

  • Coordinated security update for Node.js release lines 20.x, 22.x, 24.x and 25.x (multiple CVEs; 3 high, 4 medium, 1 low). (nodejs.org)
  • High-severity highlights:
    • CVE-2025-55131 — race in buffer allocation: under certain timeout/concurrency conditions Buffer.alloc() / TypedArray may be observable before zero-init, risking leakage of in-process secrets. (nodejs.org)
    • CVE-2025-55130 — crafted relative symlink chains can bypass the Permission Model’s --allow-fs-* restrictions and escape filesystem boundaries. (nodejs.org)
    • CVE-2025-59465 — malformed HPACK in HTTP/2 HEADERS frames can trigger unhandled TLSSocket errors that crash the process (remote DoS). (nodejs.org)
  • Other material fixes include async_hooks stack‑overflow handling, TLS client certificate memory leak, UDS permission bypass with the Permission Model, and PSK/ALPN callback exception handling. (nodejs.org)

Patched versions you should install (downloads listed)

  • 20.20.0, 22.22.0, 24.13.0, 25.3.0 — upgrade the release line you run to the corresponding patched version. (nodejs.org)

Why this matters for full‑stack teams

  • Confidentiality: the buffer allocation bug can cause secrets (tokens, keys, session data) to leak if buffers are exposed or serialized before zero-init. This is not purely theoretical in high-concurrency or timeout-bound environments. (nodejs.org)
  • Isolation guarantees: teams relying on Node’s Permission Model for sandboxing or multi‑tenant isolation must assume symlink traversal and UDS paths were previously bypassable — trust boundaries need revalidation. (nodejs.org)
  • Availability and resilience: HTTP/2 and TLS handshake issues can crash servers or leak file descriptors under attacker-controlled inputs; production servers that accept arbitrary client traffic are at risk until patched. (nodejs.org)

Action checklist (priority order)

  1. Patch now (within your maintenance window)
    • Upgrade to the patched Node.js variant for your release line (20.20.0 / 22.22.0 / 24.13.0 / 25.3.0). Test in staging and canary before fleet rollout. (nodejs.org)
  2. CI / image hygiene
    • Rebuild and push runtime images (base images / multi‑stage Docker builds). Ensure your CI uses pinned Node images, not "latest".
    • Update any pinned engine constraints in package.json and lockfiles where you pin node via tools (nvm, asdf, Dockerfile FROM).
  3. Security‑critical runtime checks and code audits (short sprints)
    • Search codebase for Buffer/TypedArray use patterns that are returned or sent to clients (e.g., Buffer.alloc + immediate serialization). Add explicit zero-fill if you must delay upgrades during rollout. (nodejs.org)
    • Audit code using the permission model, symlink handling, or any custom file-resolution logic. Replace relative symlink handling with canonicalized path checks and strict allowlists. (nodejs.org)
    • Ensure all TLS servers attach error handlers to TLSSocket/server events; make TLS PSK/ALPN callbacks defensive (wrap synchronous callbacks in try/catch and fail safely). (nodejs.org)
    • Review any use of vm with timeout options and places that rely on timeouts to bound execution (those interact with the buffer allocation fix). (nodejs.org)
  4. Observability & runtime detection
    • Add alerts for increases in process crashes, FD leaks, or sustained memory growth correlated with TLS handshakes.
    • Run fuzzing or malformed-headers tests against any HTTP/2 endpoints (simulate oversized HPACK/HEADERS frames) in staging to confirm crash fixes.
  5. Deployment strategy
    • Canary → rollout: deploy to a small percentage of traffic, monitor OOM/crash rates, FD table growth, TLS handshake metrics, and latency.
    • For stateful clusters, prefer rolling restarts to avoid all-at-once disruptions.

Testing suggestions (quick, high impact)

  • Run integration tests that exercise:
    • Buffer allocation paths under timeouts and concurrent workloads; add synthetic workloads that allocate and expose buffers.
    • Filesystem traversal tests that create chained relative symlinks and assert permission model/allowlist enforcement.
    • Repeated TLS handshakes with client certs calling socket.getPeerCertificate(true) to ensure memory does not steadily grow.
    • HTTP/2 malformed header frames to ensure the process stays alive and errors are handled.

Operational notes and mitigations if you cannot upgrade immediately

  • If immediate upgrade is impossible:
    • Limit exposure: restrict public HTTP/2/TLS endpoints behind WAF/load balancers, block malformed HTTP/2 at network edge if possible.
    • Instrument and sandbox high‑risk processes; run less‑trusted workloads in separate processes or containers with stronger OS‑level isolation.
    • For permission‑model users, avoid relying on experimental permission flags for security-critical isolation until patched platforms are in place. (nodejs.org)

One last practical tip

  • The release also updates dependencies (c-ares and undici) — make sure projects that vendor or embed undici or have native bindings rebuild and retest after the Node upgrade. (nodejs.org)

Source

Source

Read Next

See latest digestsSee all digests