Node.js has released security updates for versions 26.3.1, 24.17.0 LTS, and 22.23.0 LTS, addressing critical vulnerabilities related to TLS and memory management. These updates fix high-severity flaws in TLS hostname validation and WebCrypto output handling, while also implementing medium-priority changes to redact proxy credentials from logs and cap HTTP/2 origin tracking to prevent memory growth. Developers are advised to apply these patches immediately, as recent permission model changes may disrupt legacy scripts that depend on unrestricted access. Additionally, careful consideration is needed when rolling out the updates to avoid breaking production environments due to architecture mismatches and dependency issues
Node.js 26.3.1, 24.17.0 LTS, and 22.23.0 LTS Security Updates: Patch TLS and Memory Flaws Across All Versions
Node.js versions 26.3.1, 24.17.0 LTS, and 22.23.0 LTS drop with critical security patches that target core networking and cryptographic modules. The release fixes high severity flaws in TLS hostname validation and WebCrypto output handling to stop buffer overflows and certificate mismatches. Medium priority changes redact proxy credentials from error logs and cap HTTP/2 origin tracking to prevent unbounded memory growth. Teams should apply the patch immediately since low severity permission model adjustments will break legacy scripts that rely on unrestricted file and network access.
