Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v25.2.1
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v25.3.0
Choose a head ref
  • 11 commits
  • 139 files changed
  • 5 contributors

Commits on Nov 17, 2025

  1. Working on v25.2.2 

    PR-URL: #60752
    @aduh95
    aduh95 committed Nov 17, 2025
    Configuration menu
    Copy the full SHA
    fc996fd View commit details
    Browse the repository at this point in the history

Commits on Jan 5, 2026

  1. lib: disable futimes when permission model is enabled 

    Refs: https://hackerone.com/reports/3390084
PR-URL: nodejs-private/node-private#748
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-55132
    @RafaelGSS
    RafaelGSS committed Jan 5, 2026
    Configuration menu
    Copy the full SHA
    b4b887c View commit details
    Browse the repository at this point in the history

  2. lib: add TLSSocket default error handler 

    This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#750
Fixes: #44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
    @RafaelGSS
    RafaelGSS committed Jan 5, 2026
    Configuration menu
    Copy the full SHA
    f0a8916 View commit details
    Browse the repository at this point in the history

Commits on Jan 9, 2026

  1. lib,permission: require full read and write to symlink APIs 

    Refs: https://hackerone.com/reports/3417819
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#760
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2025-55130
    @RafaelGSS
    RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    26be208 View commit details
    Browse the repository at this point in the history

  2. src: rethrow stack overflow exceptions in async_hooks 

    When a stack overflow exception occurs during async_hooks callbacks
(which use TryCatchScope::kFatal), detect the specific "Maximum call
stack size exceeded" RangeError and re-throw it instead of immediately
calling FatalException. This allows user code to catch the exception
with try-catch blocks instead of requiring uncaughtException handlers.

The implementation adds IsStackOverflowError() helper to detect stack
overflow RangeErrors and re-throws them in TryCatchScope destructor
instead of calling FatalException.

This fixes the issue where async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.

Fixes: #37989
Ref: https://hackerone.com/reports/3456295
PR-URL: nodejs-private/node-private#773
Refs: https://hackerone.com/reports/3456295
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59466
    @mcollina @RafaelGSS
    mcollina authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    0578e3e View commit details
    Browse the repository at this point in the history

  3. permission: add network check on pipe_wrap connect 

    Refs: https://hackerone.com/reports/3465156
PR-URL: nodejs-private/node-private#784
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2026-21636
    @RafaelGSS
    RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    bdf5873 View commit details
    Browse the repository at this point in the history

  4. tls: route callback exceptions through error handlers 

    Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
PR-URL: nodejs-private/node-private#790
CVE-ID: CVE-2026-21637
    @mcollina @RafaelGSS
    mcollina authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    c357a39 View commit details
    Browse the repository at this point in the history

  5. deps: update undici to 7.18.2 

    PR-URL: #61283
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Aviv Keller <me@aviv.sh>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    5100614 View commit details
    Browse the repository at this point in the history

  6. deps: update c-ares to v1.34.6 

    PR-URL: #60997
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    a6a74b8 View commit details
    Browse the repository at this point in the history

  7. src,lib: refactor unsafe buffer creation to remove zero-fill toggle 

    This removes the zero-fill toggle mechanism that allowed JavaScript
to control ArrayBuffer initialization via shared memory. Instead,
unsafe buffer creation now uses a dedicated C++ API.

Refs: https://hackerone.com/reports/3405778
Co-Authored-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#759
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2025-55131
    @ChALkeR @RafaelGSS
    ChALkeR and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    4d6b55a View commit details
    Browse the repository at this point in the history

  8. 2026-01-13, Version 25.3.0 (Current) 

    This is a security release.

Notable changes:

lib:
  * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750
permission:
  * (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784
  * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
src:
  * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
src,lib:
  * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
tls:
  * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790

PR-URL: nodejs-private/node-private#793
    @RafaelGSS
    RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    00d6cd8 View commit details
    Browse the repository at this point in the history
Loading