Visit Node NES Home Page
Node.js v20 Release Notes
Comprehensive release notes and changelog for Node.js v20, including security patches, bug fixes, and feature updates across all supported versions.
9 Patched Vulnerabilities
VEX Statements
2026-06-25, Version v20.20.3 'Iron' (NES)
This release includes llhttp, nghttp2, undici, npm, minimatch and timezone updates.
- CVE-2026-48933 A flaw in Node.js WebCrypto implementation can crash the process if the input of
subtle.encrypt()is a multiple of 2GiB. - (High) - CVE-2026-48934 A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. - (Medium)
- CVE-2026-48931 A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is sent before the client has sent the request. - (Low)
- CVE-2026-48935 A flaw in Node.js Permission API can cause file metadata to be modified even on a path that was set as read-only with
--allow-fs-read. - (Low) - CVE-2026-48930 A flaw in Node.js TLS hostname handling — embedded NUL hostnames can lead to silent authority rebinding due to C-string truncation in resolver bindings. - (Medium)
- CVE-2026-48928 An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. - (Medium)
- CVE-2026-48618 A flaw in Node.js TLS hostname handling — unicode dot separator handling can lead to TLS wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch. - (High)
- CVE-2026-48617 A flaw in Node.js Permission Model enforcement allows bypass via
process.report.writeReport()path misvalidation. - (Low) - CVE-2026-48619 A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. - (Medium)