nodejs nodejs Evented IO for v8 JavaScript

  1. Vendors
  2. nodejs

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any nodejs product.

RSS Feeds for nodejs security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in nodejs products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by nodejs Sorted by Most Security Vulnerabilities since 2018

nodejs node.js148 vulnerabilities

nodejs Undici13 vulnerabilities

nodejs9 vulnerabilities

nodejs Elliptic1 vulnerability

Recent nodejs Security Advisories

Advisory Title Published
2026-01-13 Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users January 13, 2026
2025-12-08 Monday, December 15, 2025 Security Releases December 8, 2025
2025-07-08 Tuesday, July 15, 2025 Security Releases July 8, 2025
2025-05-08 Wednesday, May 14, 2025 Security Releases May 8, 2025
2025-03-31 Node.js Test CI Security Incident March 31, 2025
2025-03-07 Updates on CVE for End-of-Life Versions March 7, 2025
2025-01-14 Tuesday, January 21, 2025 Security Releases January 14, 2025
2025-01-06 Upcoming CVE for End-of-Life Node.js Versions January 6, 2025
2024-07-02 Tuesday, July 2, 2024 Security Releases July 2, 2024
2024-04-04 Tuesday, April 9, 2024 Security Releases April 4, 2024

By the Year

In 2026 there have been 9 vulnerabilities in nodejs with an average score of 3.7 out of ten. Last year, in 2025 nodejs had 5 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 9 3.70
2025 5 0.00
2024 23 6.48
2023 24 6.98
2022 28 7.25
2021 27 7.40
2020 15 7.96
2019 14 6.69
2018 20 6.95

It may take a day or so for new nodejs vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent nodejs Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-55131 Jan 20, 2026
A flaw in Node.js's buffer allocation logic A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVE-2026-21636 Jan 20, 2026
A flaw in Node.js's permission model A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
CVE-2025-59464 Jan 20, 2026
A memory leak in Node.jss OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer A memory leak in Node.jss OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.
CVE-2025-55132 Jan 20, 2026
A flaw in Node.js's permission model A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-59466 Jan 20, 2026
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
CVE-2026-21637 Jan 20, 2026
A flaw in Node.js TLS error handling A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
CVE-2025-55130 Jan 20, 2026
A flaw in Node.jss Permissions model A flaw in Node.jss Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
CVE-2025-59465 Jan 20, 2026
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
CVE-2026-22036 Jan 14, 2026
Undici is an HTTP/1.1 client for Node.js Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Undici
CVE-2025-27209 Jul 18, 2025
HashDoS via rapidhash reintroduction in V8 of Node.js v24.x The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users.
node.js
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.