HeroDevs
Visit Node NES Home Page

Node.js v22 Release Notes

Release Notes for Node.js v22 NES

2026-01-15, Version 22.22.1 'Jod' (NES)

This release includes commits from the open-source v22.22.0 security release. Some of CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2024-6779 Out of bounds memory access in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-7969 Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-10231 Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-12441 Out of bounds read in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
  • CVE-2025-13721 Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
  • CVE-2025-11219 Use after free in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Low)
  • CVE-2025-14766 Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-59465 Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame. (High)
  • CVE-2025-55130 Bypass File System Permissions using crafted symlinks. (High)
  • CVE-2025-59466 Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers. (Medium)
  • CVE-2025-55131 Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled. (High)
  • CVE-2026-21637 TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak . (Medium)
  • CVE-2025-55312 fs.futimes() Bypasses Read-Only Permission Model - (Low)

2025-12-09, Version 22.21.4 'Jod' (NES)

The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2025-13042 Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-9479 Out of bounds read in V8 in Google Chrome prior to 133.0.6943.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
  • CVE-2025-13223 Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-13224 Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-8904 Type Confusion in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-8905 Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium)
  • CVE-2024-9121 Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-9122 Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-9603 Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-9602 Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-11395 Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6100 Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0445 Use after free in V8 in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-12036 Out of bounds memory access in V8 in Google Chrome prior to 141.0.7390.122 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-12428 Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-12429 Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-12433 Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

2025-11-25, Version 22.21.3 'Jod' (NES)

The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2024-9859 Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-10230 Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-10231 Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-12693 Out of bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0999 Heap buffer overflow in V8 in Google Chrome prior to 133.0.6943.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-12432 Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2025-11-13, Version 22.21.2 'Iron' (NES)

This release includes commits from the open‑source v22.21.1 release. The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2025-1914 Out of bounds read in V8 in Google Chrome prior to 134.0.6998.35 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-7535 Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5838 Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

2025-10-13, Version 22.20.2 'Iron' (NES)

The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2025-11219 Not yet published on NVD.
  • CVE-2025-10891 Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-10585 Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-10892 Integer overflow in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2025-10-04, Version 22.20.1 'Iron' (NES)

This release includes commits from the open‑source v22.20.0 release. The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2025-9132 Out of bounds write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-8880 Race in V8 in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2025-09-04, Version 22.19.1 'Jod' (NES)

This release includes commits from the open‑source v22.19.0 release.

It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2025-0612 Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0611 Object corruption in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0434 Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-7550 Type Confusion in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6773 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6772 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5837 Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5830 Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
  • CVE-2023-4355 Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

2025-08-22, Version 22.18.2 'Jod' (NES)

This release includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2025-6554 Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

It also fixes a bug that caused the version in process.version to be incorrect.

2025-08-13, Version 22.18.1 'Jod' (NES)

This release includes commits from the open‑source v22.18.0 release.

It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2025-8010 Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-8011 Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-7656 Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-5841 Use after free in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
  • CVE-2024-4949 Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

2025-07-16, Version 22.17.2 'Jod' (NES)

This release includes commits from the open‑source v22.17.1 security release.

It also includes the following CVEs that do not affect Node.js directly, but are relevant to the bundled dependencies:

  • CVE-2023-2724 Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
  • CVE-2024-6101 Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-0291 Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
  • CVE-2025-6191 Integer overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

2025-06-18, Version 22.16.2 'Jod' (NES)

This release improved backwards compatibility with glibc 2.34.

2025-06-06, Version 22.16.1 'Jod' (NES)

The CVEs addressed in this release do not affect Node.js directly, but they are relevant to the bundled dependencies.

  • CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page.
  • CVE-2024-7965 Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Node.js v20 Release Notes
Release Notes for Node.js v20 NES
Previous Article