Node.js v22 Release Notes
Release Notes for Node.js v22 NES
2025-07-16, Version 22.17.2 'Jod' (LTS), @marco-ippolito
This release includes commits from the open‑source v22.17.1 security release.
It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:
- CVE-2023-2724 Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-6101 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
- CVE-2025-0291 Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CVE-2025-6191 Integer overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
2025-06-18, Version 22.16.2 'Jod' (LTS), @marco-ippolito
This release improved backwards compatibility with glibc 2.34.
2025-06-06, Version 22.16.1 'Jod' (LTS), @marco-ippolito
The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.
- CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page.
- CVE-2024-7965 Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.