Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/node
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v24.12.0
Choose a base ref
...
head repository: nodejs/node
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v24.13.0
Choose a head ref
  • 10 commits
  • 136 files changed
  • 6 contributors

Commits on Dec 10, 2025

  1. Working on v24.12.1 

    PR-URL: #61001
    @targos
    targos committed Dec 10, 2025
    Configuration menu
    Copy the full SHA
    2ac18ce View commit details
    Browse the repository at this point in the history

Commits on Jan 7, 2026

  1. lib: disable futimes when permission model is enabled 

    Refs: https://hackerone.com/reports/3390084
PR-URL: nodejs-private/node-private#748
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-55132
    @RafaelGSS @marco-ippolito
    RafaelGSS authored and marco-ippolito committed Jan 7, 2026
    Configuration menu
    Copy the full SHA
    89adaa2 View commit details
    Browse the repository at this point in the history

Commits on Jan 9, 2026

  1. lib,permission: require full read and write to symlink APIs 

    Refs: https://hackerone.com/reports/3417819
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#760
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2025-55130
    @RafaelGSS
    RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    7302b4d View commit details
    Browse the repository at this point in the history

  2. src: rethrow stack overflow exceptions in async_hooks 

    When a stack overflow exception occurs during async_hooks callbacks
(which use TryCatchScope::kFatal), detect the specific "Maximum call
stack size exceeded" RangeError and re-throw it instead of immediately
calling FatalException. This allows user code to catch the exception
with try-catch blocks instead of requiring uncaughtException handlers.

The implementation adds IsStackOverflowError() helper to detect stack
overflow RangeErrors and re-throws them in TryCatchScope destructor
instead of calling FatalException.

This fixes the issue where async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.

Fixes: #37989
Ref: https://hackerone.com/reports/3456295
PR-URL: nodejs-private/node-private#773
Refs: https://hackerone.com/reports/3456295
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59466
    @mcollina @RafaelGSS
    mcollina authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    ac03075 View commit details
    Browse the repository at this point in the history

  3. tls: route callback exceptions through error handlers 

    Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#796
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2026-21637
    @mcollina @RafaelGSS
    mcollina authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    20591b0 View commit details
    Browse the repository at this point in the history

  4. lib: add TLSSocket default error handler 

    This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#797
Fixes: #44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
    @RafaelGSS
    RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    4ba536a View commit details
    Browse the repository at this point in the history

  5. deps: update undici to 7.18.2 

    PR-URL: #61283
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Aviv Keller <me@aviv.sh>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    3e58b7f View commit details
    Browse the repository at this point in the history

  6. deps: update c-ares to v1.34.6 

    PR-URL: #60997
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
    @nodejs-github-bot @RafaelGSS
    nodejs-github-bot authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    2092785 View commit details
    Browse the repository at this point in the history

  7. src,lib: refactor unsafe buffer creation to remove zero-fill toggle 

    This removes the zero-fill toggle mechanism that allowed JavaScript
to control ArrayBuffer initialization via shared memory. Instead,
unsafe buffer creation now uses a dedicated C++ API.

Refs: https://hackerone.com/reports/3405778
Co-Authored-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#759
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2025-55131
    @ChALkeR @RafaelGSS
    ChALkeR and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    2007569 View commit details
    Browse the repository at this point in the history

  8. 2026-01-13, Version 24.13.0 'Krypton' (LTS) 

    This is a security release.

Notable changes:

lib:
  * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <nodejs-private/node-private#797>
  * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <nodejs-private/node-private#748>
lib,permission:
  * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <nodejs-private/node-private#760>
src:
  * (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <nodejs-private/node-private#773>
src,lib:
  * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <nodejs-private/node-private#759>
tls:
  * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <nodejs-private/node-private#796>

PR-URL: nodejs-private/node-private#800
    @marco-ippolito @RafaelGSS
    marco-ippolito authored and RafaelGSS committed Jan 9, 2026
    Configuration menu
    Copy the full SHA
    def0bdf View commit details
    Browse the repository at this point in the history
Loading