diff --git a/apps/site/pages/en/blog/release/v24.14.1.md b/apps/site/pages/en/blog/release/v24.14.1.md new file mode 100644 index 0000000000000..ea881056d7e1b --- /dev/null +++ b/apps/site/pages/en/blog/release/v24.14.1.md @@ -0,0 +1,112 @@ +--- +date: '2026-03-24T20:43:31.943Z' +category: release +title: Node.js 24.14.1 (LTS) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol + +This is a security release. + +### Notable Changes + +- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High +- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High +- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium +- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium +- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium +- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low +- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low + +### Commits + +- \[[`6fae244080`](https://github.com/nodejs/node/commit/6fae244080)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`cc0910c62e`](https://github.com/nodejs/node/commit/cc0910c62e)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +- \[[`80cb042cf3`](https://github.com/nodejs/node/commit/80cb042cf3)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) +- \[[`f5b8667dc2`](https://github.com/nodejs/node/commit/f5b8667dc2)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) +- \[[`08852637d9`](https://github.com/nodejs/node/commit/08852637d9)] - **deps**: update undici to 7.22.0 (Node.js GitHub Bot) [#62035](https://github.com/nodejs/node/pull/62035) +- \[[`61097db9fb`](https://github.com/nodejs/node/commit/61097db9fb)] - **deps**: upgrade npm to 11.11.0 (npm team) [#61994](https://github.com/nodejs/node/pull/61994) +- \[[`9ac0f9f81e`](https://github.com/nodejs/node/commit/9ac0f9f81e)] - **deps**: upgrade npm to 11.10.1 (npm team) [#61892](https://github.com/nodejs/node/pull/61892) +- \[[`3dab3c4698`](https://github.com/nodejs/node/commit/3dab3c4698)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +- \[[`87521e99d1`](https://github.com/nodejs/node/commit/87521e99d1)] - **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`045013366f`](https://github.com/nodejs/node/commit/045013366f)] - **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`af22629ea8`](https://github.com/nodejs/node/commit/af22629ea8)] - **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +- \[[`380ea72eef`](https://github.com/nodejs/node/commit/380ea72eef)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +- \[[`d6b6051e08`](https://github.com/nodejs/node/commit/d6b6051e08)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +- \[[`bfdecef9da`](https://github.com/nodejs/node/commit/bfdecef9da)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +- \[[`c015edf313`](https://github.com/nodejs/node/commit/c015edf313)] - **(CVE-2026-21714)** **src**: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +- \[[`cba66c48a5`](https://github.com/nodejs/node/commit/cba66c48a5)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) +- \[[`df8fbfb93d`](https://github.com/nodejs/node/commit/df8fbfb93d)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + +Windows 64-bit Installer: https://nodejs.org/dist/v24.14.1/node-v24.14.1-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v24.14.1/node-v24.14.1-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v24.14.1/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v24.14.1/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v24.14.1/node-v24.14.1.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v24.14.1/node-v24.14.1-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v24.14.1/node-v24.14.1.tar.gz \ +Other release files: https://nodejs.org/dist/v24.14.1/ \ +Documentation: https://nodejs.org/docs/v24.14.1/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +56f6c18c5e97beb00594c24eb3cfa3c70b7247c403b00ca7eae75bba30b85ce5 node-v24.14.1-aix-ppc64.tar.gz +4013ca42741ae0fd599d432985834d0ad4f565b1e4c59f8975d561f105f4af5c node-v24.14.1-arm64.msi +25495ff85bd89e2d8a24d88566d7e2f827c6b0d3d872b2cebf75371f93fcb1fe node-v24.14.1-darwin-arm64.tar.gz +0e2e679d76743d6d9225e61327a1ddc324e4a89a80891c78c337208601d98f77 node-v24.14.1-darwin-arm64.tar.xz +2526230ad7d922be82d4fdb1e7ee1e84303e133e3b4b0ec4c2897ab31de0253d node-v24.14.1-darwin-x64.tar.gz +a87a37a10c2faf65742c7d5812f5bab878eee52b0dffdf578f49b7a808d96ddd node-v24.14.1-darwin-x64.tar.xz +282103054f841fe75ecbbfdd8bb7334d0a4bb693191d97c5770ac6ae9acdd4ff node-v24.14.1-headers.tar.gz +4c7a978a22ae662b48d1225310c294239ca0e67d8ecd1b02c49def3536941459 node-v24.14.1-headers.tar.xz +734ff04fa7f8ed2e8a78d40cacf5ac3fc4515dac2858757cbab313eb483ba8a2 node-v24.14.1-linux-arm64.tar.gz +71e427e28b78846f201d4d5ecc30cb13d1508ca099ef3871889a1256c7d6f67e node-v24.14.1-linux-arm64.tar.xz +06824292e8b40b7f65a6f9973f3d60f3cc0001a9168234bc3d6e30aa13649fd2 node-v24.14.1-linux-ppc64le.tar.gz +95bf0c8dbb73144edb79a57399f03c70af6995b78e1c632926e53e6404662ef5 node-v24.14.1-linux-ppc64le.tar.xz +3ae573f43c93dafdafedc80863fa2a040bfeaa15e6ab83c1a8e0101f09952dc4 node-v24.14.1-linux-s390x.tar.gz +ed3bfbc0ff418b0ec4633f23d53a12a691717a34b041c3fbdb296c8774e5a98a node-v24.14.1-linux-s390x.tar.xz +ace9fa104992ed0829642629c46ca7bd7fd6e76278cb96c958c4b387d29658ea node-v24.14.1-linux-x64.tar.gz +84d38715d449447117d05c3e71acd78daa49d5b1bfa8aacf610303920c3322be node-v24.14.1-linux-x64.tar.xz +2aaeb742f6aa924da6fbee5c79d7c602b8bfcec45457eb6b738717c3052a14d6 node-v24.14.1-win-arm64.7z +a7b7c68490e4a8cde1921fe5a0cfb3001d53f9c839e416903e4f28e727b62f60 node-v24.14.1-win-arm64.zip +05024009bab2fed64b1143c3cc9931441cc1b902acd16f5880404db94beb3543 node-v24.14.1-win-x64.7z +6e50ce5498c0cebc20fd39ab3ff5df836ed2f8a31aa093cecad8497cff126d70 node-v24.14.1-win-x64.zip +fd8ba3e8262738959cad50e6f6e71d689eab7dd09fc7231b51d78abe7852d4ec node-v24.14.1-x64.msi +643b518b5b33dfb5e199e6268307266add568fe8cc981c82e255c9cd1ac51a29 node-v24.14.1.pkg +8298cf1f5774093ca819f41b8dd392fd2cff058688b4d5c8805026352e2d31b3 node-v24.14.1.tar.gz +7822507713f202cf2a551899d250259643f477b671706db421a6fb55c4aa0991 node-v24.14.1.tar.xz +557ba2ad04fd08464edc2ee3e399b58ff11eaba35a00bb05671661557dc6f79e win-arm64/node.exe +59f1c42e5962e9333bb1673c21125b7a7ce9a6908299aee8f7673803c2e24212 win-arm64/node.lib +ab56402e34b2a385ba6987cb7e022b377bbdcba068886d0f6d61beaf71e26e79 win-arm64/node_pdb.7z +223757455be292ec8a00404e0890f6e345d76824875e188e0be30710ebbe4cf4 win-arm64/node_pdb.zip +58e74bf02fc5bbacc41dcb8bef089961cd5bddd37830b87784e4fc624d145d1f win-x64/node.exe +35fcdd35d3d22e283c0e2e095cc43ef676301bb85f950c344a73d59231bd7e61 win-x64/node.lib +005ea57d4ebca610dcf87a08668977f701cbe91d28595f143c0511c344f675f2 win-x64/node_pdb.7z +4a755bfa6387bbe68a586e4beb8153891ec7f55df772147f59f9fccdf5f0b57c win-x64/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmnC9lsACgkQi+q0389V +XvSHhQwAgWVhmIyXzkWwA2f1Yfh63Xwzlqp/lj82kPI3jCcHmf1K8XFXnAM7Tqfh +4o5tenOo3RXjG1Ap24UBuXmw5iLpvJ6uvnZsRgvmUs0wVCrYMzF0isznrOYd6qYo +wZreGxXF/EFEd6sGmCaEpD5g4yvhcvE+6SwSfxpHdDZuuL50gEKHmG2WU4/oCIU4 ++89CBr4BjMsX63fgwHyD3bI4SaWxcncKGHtPgWldmCrNSz80HhtXqxEinaz79H4n ++jaozyEo6x8YL3VKIIzNKRKgw2/7rVui4ydwAP190CiIEEVAffaIlnbaVOYBp5Zy +J2qTcwCLy0YIB1VnDK+6/sdGoLMOmuRhK2/rRVYAN9X/glPzcKProkL/h4Jhs5RL +b9QwMv9I7pzcff+mshUDWECOr/Y+/AwyISLADfTGHtPq4cenhTq5f4C1lgGIgAQl +/Ci+l+sv/Yo5uteRe9uauhy+p6+XkGzpb8/gbkPTBCiRNWnW0pcVwjLoHaZrZGD3 +mmI22SyF +=AqPu +-----END PGP SIGNATURE----- +```