Executive Summary
Node.js issued coordinated security releases across all active lines in June 2026, patching 12 vulnerabilities including WebCrypto DoS and TLS hostname normalization. A new annual major release model is confirmed from Node.js 27 onward.

Node.js Patches High-Severity Vulnerabilities and Shifts to Single Annual Release Model

By Vatsal Shah | June 18, 2026 | 7 min read | Source: Node.js Official Blog

TL;DR: The Node.js project issued coordinated security releases on June 18, 2026 for all three active release lines (22.x, 24.x, and 26.x), patching 12 vulnerabilities. The most notable fixes address a high-severity WebCrypto Denial-of-Service flaw and a TLS hostname normalization bypass. Alongside the security patches, the Node.js project team announced a major governance change: starting with Node.js 27, the project will move to a single annual major release model every April.
INSIGHT

SECURITY ADVISORY SUMMARY

12 CVEs Patched:
All active release lines (22.x, 24.x, 26.x) received simultaneous security updates covering cryptographic, networking, and runtime flaws.
WebCrypto DoS Patched:
A high-severity vulnerability in the built-in WebCrypto API allowed crafted inputs to cause the process to hang indefinitely.
TLS Hostname Normalization Fixed:
A bypass in TLS hostname verification could allow attackers to perform man-in-the-middle interceptions on misconfigured servers.
Annual Release Model:
From Node.js 27, major versions will be released once per year in April, entering LTS in October.

Lead Paragraph

REMOTE — The Node.js Technical Steering Committee (TSC) and the Node.js Security Working Group issued simultaneous security releases on June 18, 2026, targeting all three actively maintained release lines: Node.js 22.x (LTS), Node.js 24.x, and Node.js 26.x (Current). The patch bundle addressed 12 discrete vulnerabilities spanning the WebCrypto subsystem, HTTP parser, TLS negotiation layers, and the experimental permission model. In a companion announcement, the Node.js project confirmed a major shift in its release governance model, moving from bi-annual major releases to a single annual April release cadence beginning with Node.js 27.


What Happened

The June 2026 patch release is one of the largest coordinated security updates the Node.js project has issued across active release lines. The security bulletin identified:

  • 12 Vulnerabilities Patched: Spanning CVE severity classifications from Medium to High across all maintained branches.
  • WebCrypto Denial-of-Service (High Severity): A crafted call to certain SubtleCrypto API methods with oversized or malformed key data could cause the V8 engine's WebCrypto implementation to enter an infinite loop, consuming 100% CPU and blocking the event loop.
  • TLS Hostname Normalization Bypass (High Severity): Inconsistency in how Node.js normalized hostnames before TLS certificate validation allowed certain Unicode-encoded hostnames to bypass checkServerIdentity verification.
  • Permission Model Escape (Medium Severity): A path traversal issue in the experimental --experimental-permission flag allowed reads outside the allowed path scope via certain symlink patterns.

Deep Dive: WebCrypto Denial-of-Service Vulnerability

The WebCrypto vulnerability is the most critical patch in this release. Node.js ships with a built-in crypto.subtle API that wraps V8's native WebCrypto implementation. The bug manifested when an attacker sent a crafted key derivation request using importKey with a specifically sized buffer that triggered a looping condition in the HKDF implementation.

A minimal vulnerable code pattern affected by the now-patched issue:

JAVASCRIPT
const { webcrypto } = require('crypto');

// Prior to the patch: this crafted buffer caused an infinite loop on
// specific Node.js versions (22.x < 22.14.2, 24.x < 24.4.1, 26.x < 26.1.0)
// DO NOT RUN ON UNPATCHED SYSTEMS
const malformedKeyMaterial = Buffer.alloc(16383); // Specific boundary size

webcrypto.subtle.importKey(
  'raw',
  malformedKeyMaterial,
  { name: 'HKDF' },
  false,
  ['deriveKey', 'deriveBits']
).then(() => {
  console.log('Key imported successfully');
}).catch((err) => {
  // Vulnerable versions never reach this handler
  console.error('Import failed:', err.message);
});

The Fix: The Node.js team patched the buffer boundary check in the V8 WebCrypto binding layer. Production systems should update immediately. Affected version ranges include 22.x before 22.14.2, 24.x before 24.4.1, and 26.x before 26.1.0.


TLS Hostname Normalization Attack Flow

The TLS hostname normalization vulnerability is particularly significant for servers accepting connections from clients that may use Internationalized Domain Names (IDNs).

TLS hostname normalization attack flow diagram
Figure 1: How the TLS hostname normalization bypass enabled a man-in-the-middle attack path on vulnerable Node.js versions prior to the June 2026 patch.

Under the pre-patch behavior, Node.js's checkServerIdentity function compared the server certificate's Subject Alternative Names (SANs) against the requested hostname. However, when hostnames contained specific Unicode characters that Unicode-normalize to ASCII equivalents differently between Node.js and the underlying libuv networking layer, the comparison failed silently and allowed a certificate mismatch to pass validation.

Vulnerable Scenario: An attacker controlling a server with a certificate for xn--nds.example.com could intercept connections from clients resolving nds.example.com if the Unicode normalization path was triggered. This affected HTTPS agents, node:https module requests, and third-party HTTP clients built on Node.js core.

The Fix: The patch standardizes hostname normalization to occur before any comparison call in checkServerIdentity, ensuring that the IDN-encoded and decoded forms are resolved to the same canonical ASCII representation before the certificate SAN match is attempted.


Major Governance Change: Annual Release Model from Node.js 27

Alongside the security release, the Node.js Technical Steering Committee published a formal governance proposal that has been ratified: starting with Node.js 27, the project will move to a single annual major release each April.

Node.js annual release lifecycle roadmap timeline
Figure 2: The new Node.js annual major release lifecycle, showing April major releases, October LTS entry, and three-year LTS support windows starting from Node.js 27.

Under the previous model, Node.js released two major versions per year (one in April, one in October), alternating between "Current" and "LTS" tracks. This led to confusion for enterprise teams who found it difficult to track upgrade cadences and allocate testing resources.

The new model simplifies this significantly:

MilestoneMonth
Major ReleaseApril
LTS DesignationOctober
Active LTS Support3 years from October
End of Life6 months after Active LTS

This aligns Node.js with a more predictable enterprise upgrade cycle. Teams running LTS versions will now have a clear three-year window before a mandatory upgrade, removing the pressure of bi-annual major version jumps.


Update Versions

Developers should update to the following patched releases immediately:

Release LineVulnerable BeforePatched Version
Node.js 22.x (LTS)22.14.122.14.2
Node.js 24.x24.4.024.4.1
Node.js 26.x (Current)26.0.126.1.0

To update via the Node Version Manager (nvm):

BASH
# Update to patched Node.js 22.x LTS
nvm install 22.14.2
nvm use 22.14.2

# Verify the installed version
node --version

# Check the installed OpenSSL binding for TLS hardening
node -e "console.log(process.versions.openssl)"

To check if your current installation is affected:

BASH
# Check current Node.js version
node --version

# For Docker-based deployments, update the base image tag
# FROM node:22.14.2-alpine
# FROM node:24.4.1-slim
# FROM node:26.1.0-alpine

What to Watch Next

  • Dependency Audit: Review all third-party packages in your dependency tree that invoke crypto.subtle or establish TLS connections. Libraries like node-fetch, axios, and undici all rely on the underlying Node.js TLS stack.
  • Permission Model Maturity: The path traversal escape in the experimental permission model is a reminder that --experimental-permission is not yet production-hardened for adversarial environments.
  • Node.js 27 Timeline: Watch for the first release candidate of Node.js 27 in Q1 2027, which will be the first version to follow the new annual release model.

For a deeper look at the performance implications of the V8 JIT changes that have been discussed alongside these patches, see the analysis of Node.js 26 Rust JIT Proposal and the JITless V8 Overhead discussion.

Read the full security advisory on the Node.js Official Blog → Node.js Vulnerability Blog


Key Takeaways

  • Patch Now: All active release lines have patched 12 vulnerabilities, including two high-severity issues in WebCrypto and TLS.
  • WebCrypto Hang Fixed: A malformed importKey call could cause the event loop to block indefinitely on unpatched versions.
  • TLS Bypass Closed: Unicode hostname normalization inconsistencies allowed certificate validation to be bypassed in specific attack scenarios.
  • Annual Release Model Confirmed: Starting with Node.js 27, one major version will be released every April, with LTS entry each October.
  • Enterprise Stability: The new cadence gives teams a predictable three-year LTS window per major version.

FAQ


Vatsal Shah

Vatsal Shah

Technical Project Manager & Solution Architect

I write code, ship agentic systems, and advise boards from India and global HQ — 15+ years across BFSI, GCC, and Fortune-scale cloud programs. If you need architecture that survives audit, start here.

View credentials →