HeroDevs
Visit Node NES Home Page

Node.js v12 Release Notes

Release Notes for Node.js v12 NES

2026-02-10, Version 12.22.15 'Erbium' (NES)

This release includes a breaking change in order to address CVE-2022-32223. Before this change, the default OpenSSL configuration, openssl_conf, was being used which might configure OpenSSL in unwanted ways that might result in DLL Hijacking. When using a custom OpenSSL configuration file, Node.js will now only search for the configuration under the section nodejs_conf. This behavior can be customized by setting the flag --openssl-conf-name.

  • CVE-2023-46809 Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
  • CVE-2022-32212 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
  • CVE-2024-21892 On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
  • CVE-2024-27983 An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
  • CVE-2024-36138 Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
  • CVE-2024-27980 Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
  • CVE-2025-23085 A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
  • CVE-2022-32223 Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms. This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists. Whenever the above conditions are present, node.exe will search for providers.dll in the current user directory. After that, node.exe will try to search for providers.dll by the DLL Search Order in Windows. It is possible for an attacker to place the malicious file providers.dll under a variety of paths and exploit this vulnerability.

2026-01-30, Version 12.22.14 'Erbium' (NES)

This release includes applicable commits from the open-source December 2025 security release. This release also include Linux ARM64 binary.

  • CVE-2025-59465 Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame. (High)
  • CVE-2025-59466 Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers. (Medium)

2025-11-10, Version 12.22.13 'Erbium' (NES)

Includes over 20 dependency security and compatibility fixes including resolution for the following vulnerabilities:

  • CVE-2023-32067 (c-ares) c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection.
  • CVE-2023-31147 (c-ares) When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available.
  • CVE-2023-31130 (c-ares) ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues.
  • CVE-2023-31124 (c-ares) When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG.
  • CVE-2022-4904 (c-ares) - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
  • CVE-2022-35256 (llhttp) - The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
  • CVE-2023-44487 (nghttp2) - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.
  • CVE-2023-35945 (nghttp2) - A memory leak vulnerability in Envoy's HTTP/2 codec, caused by improper cleanup after receiving RST_STREAM followed by GOAWAY frames, can lead to denial of service through memory exhaustion; this issue was patched in Envoy versions 1.26.3, 1.25.8, 1.24.9, and 1.23.11.
  • CVE-2021-39135 (npm) - A vulnerability in @npmcli/arborist allowed attackers to exploit symbolic links in the node_modules folder, potentially writing package dependencies to arbitrary locations on the filesystem; this issue was patched in version 2.8.2, included in npm v7.20.7 and above.
  • CVE-2021-39134 (npm) - A vulnerability in @npmcli/arborist allowed attackers to overwrite arbitrary files on case-insensitive file systems by exploiting case differences in dependency names, affecting npm v7.20.6 and earlier; it was patched in version 2.8.2 included with npm v7.20.7 and above.
  • CVE-2024-0727 (OpenSSL) - A vulnerability in OpenSSL can cause a crash when processing maliciously formatted PKCS12 files, potentially leading to a Denial of Service (DoS) in applications handling untrusted PKCS12 files.
  • CVE-2023-5678 (OpenSSL) - A vulnerability in OpenSSL's X9.42 DH key generation and checking functions can cause significant delays when processing excessively long keys or parameters, potentially leading to a Denial of Service (DoS) when dealing with untrusted sources.
  • CVE-2023-4807 (OpenSSL) - A bug in OpenSSL's POLY1305 MAC implementation on Windows 64 systems with AVX512-IFMA support may corrupt application state, potentially leading to crashes or Denial of Service (DoS), though the severity is considered low.
  • CVE-2023-3817 (OpenSSL) - A vulnerability in OpenSSL's DH parameter checking functions can cause significant delays when processing excessively long DH keys, potentially leading to a Denial of Service (DoS) in applications using untrusted sources.
  • CVE-2023-2650 (OpenSSL) - A vulnerability in OpenSSL's OBJ_obj2txt() function can cause significant delays when processing large ASN.1 object identifiers, potentially leading to a Denial of Service (DoS) in certain applications.
  • CVE-2023-0466 (OpenSSL) - A flaw in OpenSSL's X509_VERIFY_PARAM_add0_policy() function fails to enable certificate policy checks as documented, allowing certificates with invalid policies to pass verification.
  • CVE-2023-0465 (OpenSSL) - A vulnerability in OpenSSL allows a malicious CA to bypass certificate policy checks when non-default verification options are used, potentially leading to security breaches.
  • CVE-2023-0464 (OpenSSL) - A vulnerability in OpenSSL's X.509 certificate chain verification could enable a DoS attack through excessive resource usage when policy constraints are processed.
  • GHSA-5689-v88g-g6rv (llhttp) - llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding.
  • GHSA-q5vx-44v4-gch4 (llhttp) - llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields.
  • GHSA-cggh-pq45-6h9x (llhttp) - llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding.
  • CVE-2025-27210 - An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join API.
  • CVE-2025-23167 - A flaw in Node.js HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
  • CVE-2025-23084 - A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows.
  • CVE-2024-27982 - The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling.
  • CVE-2024-22019 - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS).
  • CVE-2023-30589 - The llhttp parser in the http module in Node does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser.
  • CVE-2022-32213 - The llhttp parser in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
  • CVE-2022-32214 - The llhttp parser in the http module in Node.js does not correctly handle header fields that are not terminated with CRLF. This may result in HTTP Request Smuggling (HRS).
  • CVE-2022-32215 - The llhttp parser in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).