CVE-2024-22018 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVE-2026-21711 A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.

CVE-2025-23167 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

DSA-6300-1 node-shell-quote - security update

[NEU] [kritisch] vm2: Mehrere Schwachstellen

DSA-6272-1 nodejs - security update

CVE-2026-41636 Apache Thrift: Node.js skip() recursion

RHSA-2026:9874: Important: nodejs:20 security update

RHSA-2026:9711: Important: nodejs:20 security update

[UPDATE] [hoch] Node.js: Mehrere Schwachstellen

DSA-6183-1 nodejs - security update

DSA-6166-1 nodejs - security update

VU#907705: Graphql-upload-minimal has a prototype pollution vulnerability.

The Forgotten Bug: How a Node.js Core Design Flaw Enables HTTP Request Splitting

[UPDATE] [mittel] Node.js: Mehrere Schwachstellen

[UPDATE] [mittel] Node.js: Mehrere Schwachstellen

Node.js — Tuesday, January 13, 2026 Security Releases

Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines

Multiples vulnérabilités dans Node.js (30 janvier 2026)

[UPDATE] [kritisch] Node.js: Mehrere Schwachstellen

The Recent 0-Days in Node.js and React Were Found by an AI

VU#102648: Code injection vulnerability in binary-parser library

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution