Node.js ships critical security patches

Node.js published coordinated security releases on March 24, 2026 that update the 25.x, 24.x, 22.x and 20.x release lines and address 2 high-, 5 medium- and 2 low-severity vulnerabilities. (nodejs.org) The highest‑rated flaw is tracked as CVE‑2026‑21637 and stems from TLS error handling (SNICallback / PSK / ALPN callbacks) that can be triggered remotely to crash or exhaust a TLS server. (cvedetails.com) A separate high‑severity HTTP handling bug, CVE‑2026‑21710, affects header/trailer processing and was fixed by wrapping header prototypes as shown in the Node.js release commits credited to Matteo Collina. (github.com) The releases also close permission‑model and filesystem gaps (CVE‑2026‑21711 and CVE‑2026‑21715) that allow Unix‑domain socket bind/listen bypasses and leave realpath.native without required read checks; fixes were authored by RafaelGSS and others. (github.com) Official packages were published as Node.js 20.20.2 (“Iron”) for LTS and matching updates across 25.x/24.x/22.x, and the updates include dependency bumps such as undici to address related vulnerabilities. (nodejs.org) Immediate remediation paths published and demonstrated in community guidance include verifying versions with node -v and upgrading to the patched build (for example via nvm install 20.20.2 or by downloading the 20.20.2 installer / using package managers), then re‑verifying that hosts report v20.20.2. (undercodetesting.com)