Node.js has released version 24.4.1, which addresses significant security vulnerabilities identified as CVE-2025-27209 and CVE-2025-27210. This release includes crucial fixes that involve reverting updates related to the RapidHash algorithm in the V8 engine, which had security implications leading to a potential Denial of Service (DoS) attack. Additionally, it rectifies issues regarding Windows device names (such as CON, PRN, AUX) that could bypass path traversal protection in the path normalization function.

Notable Changes in Node.js v24.4.1:

- CVE-2025-27209: Fixes a HashDoS vulnerability in the V8 engine linked to the new RapidHash algorithm.
- CVE-2025-27210: Addresses the handling of reserved Windows device names to prevent path traversal vulnerabilities.

Key Commits:

- The reversion of the RapidHash commits was made to mitigate the identified DoS risk (Commit by Michaël Zasso).
- Enhancements to ensure that all reserved Windows device names are properly handled (Commit by RafaelGSS).

This update emphasizes the importance of regularly updating Node.js to maintain security and functionality. Developers are encouraged to review the changes and implement the latest version to safeguard their applications from these vulnerabilities. As the Node.js ecosystem continues to evolve, staying informed about such updates is essential for ensuring robust and secure application development

Node v24.4.1 (Current) released

Node.js 24.4.1 has been released and includes fixes for CVE-2025-27209 and CVE-2025-27210, including reverting rapidhash commits and handling Windows device names, and bypassing path traversal protection.

Node v24.4.1 (Current) released @ Linux Compatible