HeroDevs
Visit Node NES Home Page

Node.js v16 Release Notes

Comprehensive release notes and changelog for Node.js v16, including security patches, bug fixes, and feature updates across all supported versions.

66 Patched Vulnerabilities
VEX Statements

2026-04-03, Version 16.20.11 'Gallium' (NES)

This release includes commits from the open-source March 2026 security release.

  • CVE-2026-21717 A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process - (Medium)
  • CVE-2026-21714 Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion - (Medium)
  • CVE-2026-21713 Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery - (Medium)
  • CVE-2026-21710 Denial of Service via proto header name in req.headersDistinct (Uncaught TypeError crashes Node.js process) - (High)
  • CVE-2026-21637 Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS - (High)

2026-02-27, Version 16.20.10 'Gallium' (NES)

  • CVE-2023-46809 Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
  • CVE-2024-21892 On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
  • CVE-2024-27983 An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
  • CVE-2024-36138 Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
  • CVE-2024-27980 Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
  • CVE-2025-23085 A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.

2026-01-23, Version 16.20.9 'Gallium' (NES)

This release includes applicable commits from the open-source December 2025 security release.

  • CVE-2025-59465 Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame. (High)
  • CVE-2025-59466 Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers. (Medium)
  • CVE-2025-55131 Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled. (High)

2025-07-21, Version 16.20.8 'Gallium' (NES)

  • CVE-2025-27210 An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join API.

2025-05-19, Version 16.20.7 'Gallium' (NES)

  • CVE-2025-23166 A vulnerability has been identified in Node.js, the C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

2025-02-20, Version 16.20.6 'Gallium' (NES)

  • CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding.
  • CVE-2024-22019 - Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks.

2025-01-16, Version 16.20.5 'Gallium' (NES)

  • CVE-2024-30261 (undici) - Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect.
  • CVE-2024-24758 (undici) - Undici proxy-authorization header not cleared on cross-origin redirect in fetch.

2024-09-19, Version 16.20.4 'Gallium' (NES)

  • Updated to OpenSSL 3.0.14-quic1

2024-07-30, Version 16.20.3 'Gallium' (NES)

This release includes over 40 dependency security and compatibility fixes including resolution for the following vulnerabilities:

  • CVE-2023-44487 (nghttp2) - Denial of service vulnerability in nghttp2 where resource exhaustion can occur due to improperly handled RST_STREAM frames.
  • CVE-2023-35945 (nghttp2)- A vulnerability in nghttp2 where a crafted HTTP/2 frame can trigger a denial of service by crashing the server.
  • CVE-2024-0727 (OpenSSL) - An undefined behavior in OpenSSL's cryptographic functions, potentially leading to security vulnerabilities.
  • CVE-2023-6129 (OpenSSL) - Memory corruption vulnerability in OpenSSL’s CMS function, leading to potential remote code execution.
  • CVE-2023-5678 (OpenSSL) - Flaw in OpenSSL’s X.509 certificate validation that could allow certificate spoofing under specific circumstances.
  • CVE-2023-5363 (OpenSSL)- A vulnerability in OpenSSL’s ASN.1 parsing code that could cause a denial of service due to an infinite loop.
  • CVE-2023-4807 (OpenSSL)- Buffer overflow vulnerability in OpenSSL's SM2 decryption functions, potentially leading to remote code execution.
  • CVE-2023-3817 (OpenSSL) - A timing side-channel attack in OpenSSL's RSA key generation function that could leak sensitive information.
  • CVE-2023-2975 (OpenSSL)- Vulnerability in OpenSSL’s PKCS7 parsing that could lead to out-of-bounds reads and potential information disclosure.
  • CVE-2023-2650 (OpenSSL) - A flaw in OpenSSL’s X.509 name constraints enforcement that could allow bypassing of name constraints.
  • CVE-2023-1255 (OpenSSL) - An integer overflow vulnerability in OpenSSL’s ASN.1 code leading to potential remote code execution.
  • CVE-2023-0466 (OpenSSL) - Denial of service vulnerability in OpenSSL’s BN_mod_exp function due to improper handling of zero inputs.
  • CVE-2023-0465 (OpenSSL) - A vulnerability in OpenSSL's SM2 decryption implementation that could result in improper error handling and leaks.
  • CVE-2023-0464 (OpenSSL) - Memory corruption vulnerability in OpenSSL’s X.509 function leading to potential remote code execution.
  • CVE-2022-4203 (OpenSSL) - A vulnerability in OpenSSL’s X.509 certificate chain verification that could result in a bypass of certificate validation.
  • CVE-2023-0401 (OpenSSL) - Denial of service vulnerability in OpenSSL’s PKCS7 code caused by improper handling of certain inputs.
  • CVE-2023-0286 (OpenSSL) - A flaw in OpenSSL’s certificate verification process allowing potential bypass of security restrictions.
  • CVE-2023-0217 (OpenSSL) - A timing attack in OpenSSL’s DSA signature generation could leak sensitive information.
  • CVE-2023-0216 (OpenSSL) - Vulnerability in OpenSSL’s DTLS implementation that could result in a denial of service attack.
  • CVE-2023-0215 (OpenSSL) - A memory leak vulnerability in OpenSSL’s X.509 certificate parsing could lead to denial of service.
  • CVE-2022-4450 (OpenSSL) - Vulnerability in OpenSSL’s CMS and PKCS7 code that could allow a denial of service attack via memory exhaustion.
  • CVE-2022-4304 (OpenSSL) - Heap buffer overflow in OpenSSL’s SSL_get1_peer_certificate function could lead to remote code execution.
  • CVE-2022-3996 (OpenSSL) - A vulnerability in OpenSSL’s name constraints checking allowing a bypass in certain conditions.
  • CVE-2022-3786 (OpenSSL) - A buffer overflow vulnerability in OpenSSL’s certificate verification that could lead to a denial of service.
  • CVE-2022-3602 (OpenSSL) - Buffer overflow in OpenSSL’s X.509 email address parsing could allow remote code execution.
  • CVE-2022-3358 (OpenSSL) - An improper input validation vulnerability in OpenSSL’s ASN.1 string parsing could cause denial of service.
  • CVE-2022-2097 (OpenSSL) - Vulnerability in OpenSSL’s AES OCB mode resulting in incorrect decryption under specific conditions.
  • CVE-2022-2068 (OpenSSL) - A command injection vulnerability in OpenSSL’s c_rehash script could allow remote code execution.
  • CVE-2022-1473 (OpenSSL) - A vulnerability in OpenSSL’s PEM file processing that could lead to denial of service or memory corruption.
  • CVE-2022-1434 (OpenSSL) - A timing side-channel attack in OpenSSL’s RSA signature verification could leak sensitive information.
  • CVE-2022-1343 (OpenSSL) - A flaw in OpenSSL’s BN_mod_sqrt function that could result in incorrect results under specific conditions.
  • CVE-2022-1292 (OpenSSL) - Vulnerability in OpenSSL’s c_rehash script allowing command injection under specific conditions.
  • CVE-2022-0778 (OpenSSL) - Flaw in OpenSSL’s BN_mod_sqrt function leading to an infinite loop and denial of service.
  • CVE-2021-4160 (OpenSSL) - A vulnerability in OpenSSL’s CMP client leading to a double-free, potentially causing denial of service.
  • CVE-2021-4044 (OpenSSL) - A vulnerability in OpenSSL’s SSL/TLS server that could allow a denial of service attack through memory exhaustion.
  • CVE-2023-45143 (undici) - A prototype pollution vulnerability in undici's fetch API that could lead to arbitrary code execution.
  • CVE-2023-45853 (zlib) - Buffer overflow vulnerability in zlib’s decompression routine that could lead to denial of service or code execution.
  • GHSA-wqq4-5wpv-mx2g (undici) - A potential header injection vulnerability in undici that could lead to HTTP response splitting.
  • GHSA-3787-6prv-h9w3 (undici) - A resource exhaustion vulnerability in undici due to improper handling of request cancellation.
  • GHSA-cggh-pq45-6h9x (llhttp) - A denial of service vulnerability in llhttp caused by malformed HTTP requests leading to infinite loop.
  • CVE-2025-23167 - A flaw in Node.js HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
  • CVE-2023-30589 - The llhttp parser in the http module in Node does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser.
  • CVE-2024-27982 - The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling.