2025-05-14, Version 20.19.2 'Iron' (LTS), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2025-23166) fix error handling on async crypto operation
- (CVE-2025-23167) (SEMVER-MAJOR) update llhttp to 9.2.0
- (CVE-2025-23165) add missing call to uv_fs_req_cleanup
Commits
- [
eb25047b1b] - deps: update llhttp to 9.2.0 (Node.js GitHub Bot) #51719 - [
12dcd8db08] - deps: update llhttp to 9.1.3 (Node.js GitHub Bot) #50080 - [
190e45a291] - (SEMVER-MAJOR) (CVE-2025-23167) deps: update llhttp to 9.1.2 (Paolo Insogna) #48981 - [
fc68c44e6a] - fs: added test for missing call to uv_fs_req_cleanup (Justin Nietzel) #57811 - [
9e13bf0a81] - (CVE-2025-23165) fs: add missing call to uv_fs_req_cleanup (Justin Nietzel) #57811 - [
bd0aa5d44c] - (CVE-2024-27982) http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#556 - [
6c57465920] - (CVE-2025-23166) src: fix error handling on async crypto operations (RafaelGSS) nodejs-private/node-private#710