Node 26.3.1 patches 11 security vulnerabilities

11 CVEs fixed across TLS hostname validation, WebCrypto output bounds, HTTP/2 memory exhaustion, and permission model gaps—upgrade required if you run untrusted code or expose crypto APIs.

Summary

TLS SNI case sensitivity and hostname normalization bypasses affect certificate validation; HTTP/2 originSet unbounded growth causes DoS; WebCrypto output length guards prevent buffer overruns. Permission model gaps let process.chdir and FileHandle.utimes escape scope restrictions.

Why it matters

Implementation verdict

This is a mandatory upgrade if running 26.x. No breaking changes. OpenSSL bumped to 3.5.7, undici to 8.5.0, llhttp to 9.4.2—all deps update in-place. Takes 10 minutes to deploy via package manager or binary download.

Sources

1.This is a security release.
2.tls: normalize hostname for server identity checks (Matteo Collina) – High
3.crypto: guard WebCrypto cipher output length (Filip Skokan) – High
4.http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
5.dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs