Node v22.13.1 nsolid v5.6.1 release #259
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Without this patch, on Windows, normalizing a relative path might result in a path that Windows considers absolute. In rare cases, this might lead to path traversal vulnerabilities in user code. We attempt to detect those cases and return a relative path instead. PR-URL: nodejs-private/node-private#555 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2025-23084
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#662 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2025-22150
Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')
PR-URL: nodejs-private/node-private#651
Refs: nodejs-private/node-private#629
CVE-ID: CVE-2025-23083
This commit fixes a memory leak when the socket is suddenly closed by the peer (without GOAWAY notification) and when invalid header (by nghttp2) is identified and the connection is terminated by peer. Refs: https://hackerone.com/reports/2841362 PR-URL: nodejs-private/node-private#650 Reviewed-By: James M Snell <jasnell@gmail.com> CVE-ID: CVE-2025-23085
This is a security release. Notable changes: * CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High) * CVE-2025-23084: fix path traversal in normalize() on Windows (Medium) * CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium) * CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium) PR-URL: nodejs-private/node-private#655
v22.13.1 Git-EVTag-v0-SHA512: 6b87a6754a80d80fa71d8daeedfc592254df1a32ee3e6436157d0e1469e42fecc681474d7ccc1d82f938f0b19c6532d12b404647de54d4a16e1e070d764fef10
8f4f634 to
ee54d48
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.