HeroDevs

Node.js v22 Release Notes

Release Notes for Node.js v22 NES

2025-09-04, Version 22.19.1 'Jod' (LTS), @marco-ippolito

This release includes commits from the open‑source v22.19.0 release.

It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2025-0612 Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0611 Object corruption in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0434 Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-7550 Type Confusion in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6773 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6772 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5837 Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5830 Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
  • CVE-2023-4355 Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2025-08-22, Version 22.18.2 'Jod' (LTS), @marco-ippolito

This release includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2025-6554 Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

It also fixes a bug that caused the version in process.version to be incorrect.

2025-08-13, Version 22.18.1 'Jod' (LTS), @marco-ippolito

This release includes commits from the open‑source v22.18.0 release.

It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2025-8010 Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-8011 Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-7656 Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5841 Use after free in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
  • CVE-2024-4949 Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

2025-07-16, Version 22.17.2 'Jod' (LTS), @marco-ippolito

This release includes commits from the open‑source v22.17.1 security release.

It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2023-2724 Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6101 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0291 Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-6191 Integer overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

2025-06-18, Version 22.16.2 'Jod' (LTS), @marco-ippolito

This release improved backwards compatibility with glibc 2.34.

2025-06-06, Version 22.16.1 'Jod' (LTS), @marco-ippolito

The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page.
  • CVE-2024-7965 Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Node.js v20 Release Notes
Release Notes for Node.js v20 NES
Previous Article