Update Jun 18, 2026 tracked by Updatify
2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95
This is a security release.
Notable Changes
- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
Commits
-
[
38b4c5ed51] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878 -
[
ad8a10c1bb] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890 -
[
ca825a87cc] - deps: update undici to 6.27.0 (aduh95) #63711 -
[
a1a5bb9683] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891 -
[
0f48583512] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891 -
[
38c869fc05] - deps: update nghttp2 to 1.68.0 (nodejs-github-bot) #61136 -
[
290667c84f] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790 -
[
c9f3da76aa] - deps: update nghttp2 to 1.66.0 (Node.js GitHub Bot) #58786 -
[
60890be563] - deps: update nghttp2 to 1.65.0 (Node.js GitHub Bot) #57269 -
[
5024c7d5d8] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820 -
[
7f4eb5af2e] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820 -
[
ebb4ec78a8] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656 -
[
5763d40826] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045 -
[
c551a51d0c] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868 -
[
0a22d40180] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846 -
[
c79968e108] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855 -
[
0c37bff2ff] - http2: fix DEP0194 message (KaKa) #58669 -
[
ea5dc6b529] - (SEMVER-MAJOR) http2: remove support for priority signaling (Matteo Collina) #58293 -
[
9b6af26132] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867 -
[
28dcd38864] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873 -
[
2f62693801] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870 -
[
1662a3ea09] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854 -
[
718d5d0e2c] - test: skiptest-fs-utimes-y2K38on armv7 (Richard Lau) #63836 -
[
041185b61f] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238 -
[
fd890ba01d] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854 -
[
39d1d09684] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857 -
[
2197a47144] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869