Node.js has released version 25.3.0, emphasizing significant security enhancements aimed at addressing critical vulnerabilities and improving user safety. Key updates include the introduction of a new default error handler for TLSSocket connections, bolstering network checks during pipe_wrap connect operations, and refining the handling of symlink APIs and permission models. The release eliminates the zero-fill toggle mechanism for buffer creation to prevent unsafe buffers and reworks exception handling for stack overflows within async_hooks.
Notable contributions to this release come from developers RafaelGSS and Matteo Collina, addressing issues such as CVE-2025-59465, CVE-2026-21636, CVE-2025-55130, CVE-2025-55131, CVE-2025-59466, and CVE-2026-21637. Additionally, the update includes dependency upgrades for c-ares to version 1.34.6 and undici to 7.18.2, enhancing the underlying infrastructure of Node.js.
Overall, Node.js 25.3.0 is a crucial update that reinforces the platform's security framework. For users on earlier versions, upgrading to this release is highly recommended to benefit from the latest security measures and ensure a safer development environment. As the Node.js community continues to evolve, developers can expect ongoing improvements and updates to further enhance the platform's reliability and security.
In light of these updates, developers should also stay informed about best practices for security in their applications, including regular dependency checks, code audits, and utilizing security-focused libraries. The Node.js community supports a collaborative approach to security, encouraging users to contribute and report vulnerabilities to maintain a robust ecosystem
Notable contributions to this release come from developers RafaelGSS and Matteo Collina, addressing issues such as CVE-2025-59465, CVE-2026-21636, CVE-2025-55130, CVE-2025-55131, CVE-2025-59466, and CVE-2026-21637. Additionally, the update includes dependency upgrades for c-ares to version 1.34.6 and undici to 7.18.2, enhancing the underlying infrastructure of Node.js.
Overall, Node.js 25.3.0 is a crucial update that reinforces the platform's security framework. For users on earlier versions, upgrading to this release is highly recommended to benefit from the latest security measures and ensure a safer development environment. As the Node.js community continues to evolve, developers can expect ongoing improvements and updates to further enhance the platform's reliability and security.
In light of these updates, developers should also stay informed about best practices for security in their applications, including regular dependency checks, code audits, and utilizing security-focused libraries. The Node.js community supports a collaborative approach to security, encouraging users to contribute and report vulnerabilities to maintain a robust ecosystem
Node.js 25.3.0 (Current) released
Node.js 25.3.0 has been released with a focus on security improvements to address critical vulnerabilities and enhance user safety. This update includes several key changes, such as a new default error handler for TLSSocket connections, improved network checks during pipe_wrap connect operations, and enhanced handling of symlink APIs and permission models. Additionally, the update ditches the zero-fill toggle mechanism for buffer creation and reworks exception handling for stack overflows within async_hooks. Overall, Node.js 25.3.0 is a security-focused release that aims to plug specific holes and improve overall safety across the platform.
