Node.js v20 Release Notes

Release Notes for Node.js v20 NES

2025-02-26, Version 20.18.4 'Iron' (LTS), @marco-ippolito

The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page.
  • CVE-2023-3079 Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
  • CVE-2024-5274 Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
  • CVE-2024-7965 Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
  • CVE-2024-4761 Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
  • CVE-2024-4947 Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Node.js v18 Release Notes
Release Notes for Node.js v18 NES
Previous Article