Node.js v20 Release Notes
Release Notes for Node.js v20 NES
2025-08-13, Version 20.19.7 'Iron' (LTS), @marco-ippolito
The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.
- CVE-2025-8010 Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2025-8011 Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2025-7656 Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-5841 Use after free in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-4949 Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-3159 Out of bounds memory access in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
2025-07-21, Version 20.19.6 'Iron' (LTS), @marco-ippolito
This release includes commits from the open‑source v20.19.4 release.
- CVE-2025-27210 An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of
path.joinAPI.
2025-07-14, Version 20.19.5 'Iron' (LTS), @marco-ippolito
The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.
- CVE-2023-2724 Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2023-4762 Type Confusion in V8 in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
- CVE-2023-6702 Type confusion in V8 in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-12381 Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-2625 Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-3159 Out of bounds memory access in V8 in Google Chrome prior to 123.0.6312.105 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-6101 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
- CVE-2025-6191 Integer overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
2025-06-24, Version 20.19.4 'Iron' (LTS), @marco-ippolito
This release includes commits from the open‑source v20.19.3 release.
2025-05-20, Version 20.19.3 'Iron' (LTS), @marco-ippolito
This release includes commits from the open‑source v20.19.2 release.
- Improved backwards compatibility with glibc 2.34.
- CVE-2025-23165 In Node.js, the
ReadFileUtf8internal binding leaks memory due to a corrupted pointer inuv_fs_s.file:a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. - CVE-2025-23166 A vulnerability has been identified in Node.js, the C++ method
SignTraits::DeriveBits()may incorrectly callThrowException()based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. - CVE-2025-23167 A flaw in Node.js HTTP parser allows improper termination of HTTP/1 headers using
\r\n\rXinstead of the required\r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.
2025-04-23, Version 20.19.2 'Iron' (LTS), @marco-ippolito
This release includes commits from the open‑source v20.19.1 release.
2025-03-14, Version 20.19.1 'Iron' (LTS), @marco-ippolito
This release includes commits from the open‑source v20.19.0 release.
2025-02-26, Version 20.18.4 'Iron' (LTS), @marco-ippolito
The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.
- CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page.
- CVE-2023-3079 Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2024-5274 Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- CVE-2024-7965 Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2024-4761 Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
- CVE-2024-4947 Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.