Node.js January 2026 Security Release: 8 CVEs Explained

Upgrade Required: Node.js released security patches on January 13, 2026 for 8 vulnerabilities affecting all active release lines (20.x, 22.x, 24.x, 25.x). Upgrade immediately to v20.20.0 , v22.22.0 , v24.13.0 , or v25.3.0.

On January 13, 2026, the Node.js project released security patches addressing:

• 3 High Severity vulnerabilities (buffer memory leak, symlink bypass, HTTP/2 DoS)
• 4 Medium Severity vulnerabilities (AsyncLocalStorage crashes, TLS memory leak, UDS bypass, TLS callback DoS)
• 1 Low Severity vulnerability (timestamp permissions bypass)

Permissions Model Scope

Important context: Three CVEs (CVE-2025-55130, CVE-2026-21636, CVE-2025-55132) only affect users of Node.js's experimental permission model (--experimental-permission or --permission flags).

This feature, introduced in Node.js v20¹, has limited production adoption. Most Node.js deployments do NOT use the permissions model.

Quick check: If you don't explicitly pass --permission, --allow-fs-read, --allow-fs-write, or --allow-net flags when starting Node.js, these three CVEs don't apply to your deployment.

If you do use the permissions model: These are critical bypasses that break your security boundaries. Upgrade immediately.

Patched Versions:

Release Line	Patched Version	Release Notes
v25.x (Current)	25.3.0	Release Notes
v24.x (LTS)	24.13.0	Release Notes
v22.x (LTS)	22.22.0	Release Notes
v20.x (Maintenance LTS)	20.20.0	Release Notes

Dependency Updates Included:

• c-ares updated to 1.34.6² - Fixes DNS resolver vulnerabilities including CVE-2025-62408 (use-after-free in read_answers()) and multiple moderate severity DNS parsing issues
• undici updated to 6.23.0 / 7.18.0³ - Addresses HTTP client vulnerabilities including CVE-2026-22036 (unbounded decompression chain leading to DoS) and request smuggling issues

These dependency patches are automatically included in the Node.js security releases.

---

Affected Versions Matrix

CVE	Severity	v20.x	v22.x	v24.x	v25.x	Notes
CVE-2025-55131	High	Yes	Yes	Yes	Yes	Buffer memory leak
CVE-2025-55130	High	Yes	Yes	Yes	Yes	Permissions model only
CVE-2025-59465	High	Yes	Yes	Yes	Yes	HTTP/2 servers
CVE-2025-59466	Medium	Yes	Yes	Yes	Yes	AsyncLocalStorage users
CVE-2025-59464	Medium	Yes	Yes	Yes	No	TLS cert processing
CVE-2026-21636	Medium	No	No	No	Yes	v25 permissions model
CVE-2026-21637	Medium	Yes	Yes	Yes	Yes	PSK/ALPN callback users
CVE-2025-55132	Low	Yes	Yes	Yes	Yes	Permissions model only

---

Quick Decision Guide

Your Situation	Action Required	Risk Level
Running Node.js v20-v23 + any framework	Upgrade immediately to v20.20.0 / v22.22.0	HIGH
Running Node.js v24.x + Next.js/React	Upgrade to v24.13.0 (lower CVE-2025-59466 risk)	MEDIUM
Running Node.js v25.x	Upgrade immediately to v25.3.0	HIGH (v25-specific CVE)
Using --permission flags	Upgrade urgently (3 bypasses)	CRITICAL
Running self-hosted HTTP/2 servers	Review error handlers + upgrade	HIGH
Using APM tools (all versions)	Upgrade + review recursion depth limits	MEDIUM-HIGH

All users should upgrade regardless , but this helps you understand your specific risk exposure.

---

Who Should Upgrade?

You are affected if:

• You use Next.js 13+ with App Router (uses AsyncLocalStorage internally)
• You use React Server Components
• You use cookies(), headers(), or other Next.js request context APIs

Critical CVEs for you:

• CVE-2025-59466 (AsyncLocalStorage crashes) - Stack overflow errors in your API routes can crash your entire application
• CVE-2025-59465 (HTTP/2 DoS) - If serving HTTP/2 traffic, malformed requests can crash your server

Recommended Action:

# Check your Node.js version
node --version

# Upgrade to patched version
nvm install 24.13.0 # or 22.22.0, 20.20.0

# Create version pinning file
echo "24.13.0" > .nvmrc

Additional Mitigation:

Validate input depth in API routes to prevent stack overflow:

const MAX_DEPTH = 10;

function validateDepth(obj: unknown, depth = 0): boolean {
  if (depth > MAX_DEPTH) return false;
  if (typeof obj !== 'object' || obj === null) return true;

  return Object.values(obj).every((v) => validateDepth(v, depth + 1));
}

You are affected if:

• You use any Application Performance Monitoring tool
• You have require('dd-trace'), require('newrelic'), or similar APM initialization
• You use OpenTelemetry for distributed tracing

Why APM makes CVE-2025-59466 worse:

APM tools use async_hooks.createHook() to trace requests across async boundaries. The moment you import an APM package, your application has async_hooks enabled, making stack overflow errors uncatchable.

The irony: The tools you install to monitor crashes can make a category of crashes behave differently.

Recommended Action:

1. Upgrade Node.js to patched versions immediately
2. Review recursive functions in your codebase
3. Add depth limits to any user-input-driven recursion

You are affected if:

• You use --experimental-permission or --permission flags
• You use --allow-fs-read, --allow-fs-write, or --allow-net flags

Critical CVEs for you:

• CVE-2025-55130 (Symlink bypass) - Attackers can escape file system restrictions
• CVE-2026-21636 (UDS bypass) - v25 only, network restrictions bypassed
• CVE-2025-55132 (futimes bypass) - Timestamp modification in read-only directories

Recommended Action:

Upgrade immediately. The permissions model's security guarantees are broken until patched.

You are affected if:

• You run HTTP/2 servers with TLS
• You use TLS client certificate authentication (mTLS)
• You use Pre-Shared Key (PSK) or ALPN callbacks

Critical CVEs for you:

• CVE-2025-59465 (HTTP/2 DoS) - Malformed frames crash servers
• CVE-2025-59464 (TLS memory leak) - Certificate processing leaks memory
• CVE-2026-21637 (Callback DoS) - PSK/ALPN exceptions cause crashes

Recommended Action:

1. Upgrade Node.js immediately
2. Add explicit error handlers to TLS sockets
3. Monitor memory usage for TLS-heavy workloads

---

How to Upgrade

Using nvm (Node Version Manager)

# Install the patched version for your release line
nvm install 24.13.0 # LTS (recommended)
nvm install 22.22.0 # Previous LTS
nvm install 20.20.0 # Maintenance LTS
nvm install 25.3.0 # Current

# Verify installation
node --version
# v24.13.0

# Set as default
nvm alias default 24.13.0

# Create version pinning file for your project
echo "24.13.0" > .nvmrc
echo "24.13.0" > .node-version # For other version managers

Using Homebrew (macOS)

brew update
brew upgrade node
node --version

Verifying the Upgrade

# Check Node.js version
node --version
# Should show: v20.20.0, v22.22.0, v24.13.0, or v25.3.0

# Verify npm is functional
npm --version

# Run your test suite
npm test

CI/CD Considerations

Update your GitHub Actions workflows to use version pinning:

# .github/workflows/ci.yml
- uses: actions/setup-node@v4
  with:
    node-version-file: '.nvmrc' # Use version from .nvmrc file

---

High Severity Vulnerabilities

CVE-2025-55131: Buffer Memory Leak via Race Condition

Affected Versions: 20.x, 22.x, 24.x, 25.x

Reporter: Nikita Skovoroda

A flaw in Node.js buffer allocation logic can expose uninitialized memory when allocations are interrupted while using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc() and TypedArray instances like Uint8Array may contain leftover data from previous operations.

Impact:

This vulnerability allows in-process secrets like tokens, passwords, or API keys to leak, potentially causing data corruption. While exploitation typically requires precise timing or in-process code execution, it becomes remotely exploitable when untrusted input influences workload and timeouts.

Example Risk Scenario:

import { runInNewContext } from 'vm';

// Previous operation stored sensitive data
const sensitiveBuffer = Buffer.alloc(1024);
sensitiveBuffer.write('SECRET_API_KEY_xyz123');

// Later, with vm timeout, race condition can occur
const result = runInNewContext('Buffer.alloc(1024)', {}, { timeout: 100 });
// result may contain: "SECRET_API_KEY_xyz123" from previous operation

Mitigation: Upgrade to patched versions. Avoid using vm module with untrusted input and timeout options in security-sensitive contexts.

CVE-2025-55131 can expose in-process secrets (API keys, tokens, passwords) through uninitialized memory. If you use the vm module with timeouts and untrusted input, upgrade immediately —this becomes remotely exploitable with precise timing attacks.

---

CVE-2025-55130: File System Permissions Bypass via Symlinks

Affected Versions: 20.x, 22.x, 24.x, 25.x (permissions model users)

Reporter: natann

Fix By: RafaelGSS

A flaw in Node.js's Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files.

Impact:

This breaks the expected isolation guarantees and enables arbitrary file read/write, potentially leading to system compromise.

Attack Pattern:

# Application started with restricted permissions
node --experimental-permission --allow-fs-read=/app/data ./app.js

# Attacker creates symlink chain to escape /app/data
# symlink: /app/data/escape -> ../../../etc/passwd
# Script can now read /etc/passwd despite restrictions

Who Is Affected:

Only users of the Node.js permission model (--experimental-permission or --permission flags) are affected. If you're not using these flags, this CVE does not apply to your deployments.

Mitigation: Upgrade to patched versions. Review symlink handling in permission-restricted environments.

If you use --experimental-permission or --permission flags, CVE-2025-55130 allows complete escape of file system restrictions via symlink chains. This breaks expected isolation guarantees and enables arbitrary file read/write. Upgrade urgently if you rely on the permissions model for security boundaries.

---

CVE-2025-59465: HTTP/2 Server Crash via Malformed HEADERS

Affected Versions: 20.x, 22.x, 24.x, 25.x

Reporter: dantt

Fix By: RafaelGSS

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error (ECONNRESET). Instead of safely closing the connection, the process crashes, enabling remote denial of service.

Impact:

This vulnerability primarily affects applications that do not attach explicit error handlers to secure sockets. A remote attacker can crash your entire Node.js process with a single malformed request.

Vulnerable Pattern:

// Default HTTP/2 server - NO explicit error handlers
import { createSecureServer } from 'http2';

const server = createSecureServer({
  key: privateKey,
  cert: certificate,
});

server.on('stream', (stream, headers) => {
  // Handle request
});

server.listen(443);
// Attacker sends malformed HEADERS frame -> Process crashes

Recommended Mitigation:

// Add explicit error handlers to prevent crashes
server.on('secureConnection', (socket) => {
  socket.on('error', (err) => {
    console.error(
      '<abbr title="TLS Socket Error - errors occurring during secure socket communication, commonly including connection resets, handshake failures, and protocol violations that can crash servers if unhandled" class="glossary-term rss-glossary">TLS Socket Error</abbr>:',
      err.message
    );
    // Gracefully close instead of crashing
    socket.destroy();
  });
});

Who Is Affected:

Any Node.js application using HTTP/2 without explicit TLS socket error handlers. This includes many Next.js, Fastify, and custom HTTP/2 deployments.

A single malformed HTTP/2 HEADERS frame can crash your entire Node.js process if you don't have explicit error handlers on secure sockets. This affects any HTTP/2 server withoutsocket.on('error') handlers. Add error handling NOW, then upgrade.

---

Medium Severity Vulnerabilities

CVE-2025-59466: AsyncLocalStorage Stack Overflow Crashes

Affected Versions: 20.x, 22.x, 24.x, 25.x

Reporter: Andrew MacPherson (AndrewMohawk), aaron_vercel

Fix By: mcollina

A bug in Node.js error handling causes "Maximum call stack size exceeded" errors to become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates immediately, making the crash unrecoverable.

Why This Matters:

This vulnerability silently affects a massive portion of the Node.js ecosystem because:

• React Server Components use AsyncLocalStorage internally
• Next.js uses AsyncLocalStorage for request context tracking (cookies, headers)⁴
• Every major APM tool (Datadog⁵, New Relic⁶, Dynatrace, Elastic APM, OpenTelemetry⁷) uses AsyncLocalStorage or async_hooks.createHook() to trace requests

Applications whose recursion depth is controlled by unsanitized input become vulnerable to denial-of-service attacks.

Example Vulnerable Pattern:

// API route processing deeply nested user input
export async function POST(request: Request) {
  const data = await request.json();

  // If data is deeply nested (1000+ levels), stack overflow occurs
  // With AsyncLocalStorage active, error bypasses all handlers
  // Process crashes immediately - no logging, no recovery
  const result = processNestedData(data);

  return Response.json(result);
}

Important Caveat:

The Node.js patch improves recoverability in one edge case, but the documentation explicitly states:

"Recovery from space exhaustion is unspecified, best-effort behavior and is not a reliable basis for availability or security."

Recommendation: Don't rely on catching stack overflow errors. Prevent them by validating input depth and bounding recursion.

Important for Node.js v24+ users: Node.js v24 fundamentally changed AsyncLocalStorage's implementation—it no longer uses async_hooks.createHook() internally⁸. This means:

• React Server Components: NOT affected on Node.js v24+
• Next.js (cookies, headers, etc.): NOT affected on Node.js v24+
• APM tools using only AsyncLocalStorage: NOT affected on Node.js v24+
• APM tools directly using async_hooks.createHook(): Still affected on all versions

If you're running Node.js v24.13.0+ , CVE-2025-59466 is primarily a concern if you:

1. Use APM tools that directly call async_hooks.createHook() (check vendor documentation)
2. Have custom code using async_hooks.createHook()
3. Run Node.js v20-v23 (where the vulnerability fully applies)

Bottom line: The risk profile for Next.js applications is significantly different between Node.js v20-v23 (high risk) and v24+ (lower risk). Upgrade regardless, but understand the context.

Further Reading: Node.js published a detailed companion blog post: Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users

CVE-2025-59466 silently affects massive portions of the Node.js ecosystem: Next.js (cookies, headers), React Server Components, and every major APM tool (Datadog, New Relic, OpenTelemetry). On Node.js v20-v23, stack overflow errors bypass all handlers and crash immediately. Node.js v24+ significantly reduces risk for Next.js/RSC but APM tools usingasync_hooks.createHook() remain vulnerable. Validate input depth + upgrade.

---

CVE-2025-59464: TLS Certificate Memory Leak

Affected Versions: 20.x, 22.x, 24.x

Reporter: giant_anteater

Fix By: RafaelGSS

A memory leak in Node.js's OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificate(true), each certificate field leaks memory.

Impact:

Remote clients can trigger steady memory growth through repeated TLS connections. Over time, this leads to resource exhaustion and denial of service.

Affected Pattern:

// TLS server processing client certificates
server.on('secureConnection', (socket) => {
  // Each call leaks memory
  const cert = socket.getPeerCertificate(true);
  // Memory never freed for certificate fields
});

Who Is Affected:

Applications that process TLS client certificates, particularly mutual TLS (mTLS) implementations and certificate-based authentication systems.

---

CVE-2026-21636: Unix Domain Socket Permissions Bypass

Affected Versions: v25.x only

Reporter: mufeedvh

Fix By: RafaelGSS

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch.

Impact:

This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

Note: Network permissions (--allow-net) are still in the experimental phase.

Who Is Affected:

Only users of the Node.js permission model on version v25.x. If you're using v20, v22, or v24, or not using the permission model, this CVE does not apply.

---

CVE-2026-21637: TLS PSK/ALPN Callback DoS

Affected Versions: All versions using PSK or ALPN callbacks

Reporter: 0xmaxhax

Fix By: mcollina

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error).

Impact:

This causes either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue.

Who Is Affected:

TLS servers using Pre-Shared Key (PSK) authentication or Application-Layer Protocol Negotiation (ALPN) callbacks that may throw exceptions.

---

Low Severity Vulnerability

CVE-2025-55132: fs.futimes() Permissions Bypass

Affected Versions: 20.x, 22.x, 24.x, 25.x (permissions model users)

Reporter: oriotie

Fix By: RafaelGSS

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks.

Impact:

File metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs and audit trails.

Who Is Affected:

Only users of the Node.js permission model. Low impact for most deployments.

Three CVEs (CVE-2025-55130, CVE-2026-21636, CVE-2025-55132) only affect users of Node.js's experimental permission model (--experimental-permission flags). This feature has limited production adoption —most Node.js deployments do NOT use it. Quick check: if you don't pass--permission flags when starting Node.js, these three CVEs don't apply to your deployment.

---

Key Takeaways

1. Upgrade immediately - All active Node.js release lines (20.x, 22.x, 24.x, 25.x) are affected by at least 6 of the 8 CVEs

2. HTTP/2 servers need error handlers - CVE-2025-59465 can crash servers that lack explicit TLS socket error handling

3. AsyncLocalStorage affects most modern apps - If you use Next.js, React Server Components, or any APM tool, CVE-2025-59466 applies to you

4. Prevent stack overflow, don't catch it - Input validation and recursion depth limits are more reliable than error handling

5. Permission model users: patch urgently - Multiple CVEs break file system and network isolation guarantees

6. Pin your Node.js version - Use .nvmrc and .node-version files to ensure consistent versions across development and CI/CD

7. Subscribe to security notifications - Join the nodejs-sec mailing list for future advisories

---

References

Official Node.js Resources

• Tuesday, January 13, 2026 Security Releases - Official announcement
• Mitigating DoS from Stack Exhaustion (AsyncLocalStorage) - Detailed technical blog post
• Node.js Security Policy - Reporting vulnerabilities

Release Notes

• Node.js v25.3.0
• Node.js v24.13.0
• Node.js v22.22.0
• Node.js v20.20.0

Security Mailing List

Subscribe to the low-volume, announcement-only nodejs-sec mailing list: groups.google.com/forum/#!forum/nodejs-sec

Footnotes

1. Node.js 20 Released, Features Experimental Permission Model - InfoQ ↩

2. c-ares vulnerabilities - Official c-ares vulnerability database ↩

3. The January 2026 Security Update Review - Zero Day Initiative (undici CVE-2026-22036) ↩

4. Functions: cookies | Next.js - Official Next.js documentation on AsyncLocalStorage usage ↩

5. Mitigation for Node.js denial-of-service vulnerability affecting APM - Datadog ↩

6. Introducing AsyncLocalStorage context manager for the Node.js agent - New Relic ↩

7. Monitoring and Tracing | Hive Gateway - OpenTelemetry integration guide ↩

8. Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion - Node.js Official Blog (AsyncLocalStorage v24 reimplementation) ↩