Three high-severity flaws in buffer allocation, permission model, and HTTP/2 handling require immediate updates to 20.x, 22.x, 24.x, 25.x.
July 9, 2026
Summary
Buffer.alloc can leak uninitialized memory containing secrets when vm module timeouts interrupt allocations; symlink bypass breaks fs permission isolation; HTTP/2 malformed frames crash unpatched servers. Patch Tuesday pattern—upgrade within release window or audit permission model usage.
Why it matters
Buffer.alloc can leak uninitialized memory containing secrets when vm module timeouts interrupt allocations; symlink bypass breaks fs permission isolation; HTTP/2 malformed frames crash unpatched servers. Patch Tuesday pattern—upgrade within release window or audit permission model usage.
Implementation verdict
Mandatory patch for production: update to 20.20.0, 22.22.0, 24.13.0, or 25.3.0 released December 15, 2025. If using --allow-fs-read/write or permission model, audit symlink paths immediately. If handling TLS client certificates with getPeerCertificate(), apply 24.x patch for memory leak. If async_hooks or AsyncLocalStorage present, this release partially mitigates but does not eliminate DoS risk from deep recursion—prefer input validation over runtime stack exhaustion.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.