diff --git a/apps/site/pages/en/blog/release/v25.8.2.md b/apps/site/pages/en/blog/release/v25.8.2.md new file mode 100644 index 0000000000000..7f2ffd051ae02 --- /dev/null +++ b/apps/site/pages/en/blog/release/v25.8.2.md @@ -0,0 +1,109 @@ +--- +date: '2026-03-24T20:43:41.861Z' +category: release +title: Node.js 25.8.2 (Current) +layout: blog-post +author: Rafael Gonzaga +--- + +## 2026-03-24, Version 25.8.2 (Current), @RafaelGSS + +This is a security release. + +### Notable Changes + +- (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High +- (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High +- (CVE-2026-21711) include permission check to `pipe_wrap.cc` (RafaelGSS) - Medium +- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium +- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium +- (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium +- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +- (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low +- (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low + +### Commits + +- \[[`2086b7477b`](https://github.com/nodejs/node/commit/2086b7477b)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834) +- \[[`0f9332a40a`](https://github.com/nodejs/node/commit/0f9332a40a)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +- \[[`2b6937ddb2`](https://github.com/nodejs/node/commit/2b6937ddb2)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) +- \[[`bfb8ad5787`](https://github.com/nodejs/node/commit/bfb8ad5787)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) +- \[[`be6384727f`](https://github.com/nodejs/node/commit/be6384727f)] - **deps**: upgrade npm to 11.11.1 (npm team) [#62216](https://github.com/nodejs/node/pull/62216) +- \[[`2feea5bb97`](https://github.com/nodejs/node/commit/2feea5bb97)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +- \[[`86c04784dd`](https://github.com/nodejs/node/commit/86c04784dd)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +- \[[`5197a56a34`](https://github.com/nodejs/node/commit/5197a56a34)] - **(CVE-2026-21711)** **permission**: include permission check to pipe_wrap.cc (RafaelGSS) [nodejs-private/node-private#820](https://github.com/nodejs-private/node-private/pull/820) +- \[[`04a886c735`](https://github.com/nodejs/node/commit/04a886c735)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +- \[[`9a7f80f2b0`](https://github.com/nodejs/node/commit/9a7f80f2b0)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +- \[[`d9c9b628cf`](https://github.com/nodejs/node/commit/d9c9b628cf)] - **(CVE-2026-21714)** **src**: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +- \[[`45b55dc786`](https://github.com/nodejs/node/commit/45b55dc786)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) +- \[[`4bfda307c0`](https://github.com/nodejs/node/commit/4bfda307c0)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + +Windows 64-bit Installer: https://nodejs.org/dist/v25.8.2/node-v25.8.2-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v25.8.2/node-v25.8.2-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v25.8.2/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v25.8.2/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v25.8.2/node-v25.8.2.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v25.8.2/node-v25.8.2-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v25.8.2/node-v25.8.2.tar.gz \ +Other release files: https://nodejs.org/dist/v25.8.2/ \ +Documentation: https://nodejs.org/docs/v25.8.2/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +d9fd5dcbfa95727bf30eed1ba1587cbb956a9e5364cf280e0bee2cfa7253802f node-v25.8.2-aix-ppc64.tar.gz +1d8e77a827bd19bac021fccd1f4b0e1f53ef2c4963c40aa2cfadfb8426486351 node-v25.8.2-arm64.msi +fb8dabfda3232ef90d992e6439824fc3237356c04d182f3fa883bebeef31e871 node-v25.8.2-darwin-arm64.tar.gz +ed0d0d6a1a2594d557f36f451ff34dff321d37b7ecb0d24b87c9ff2051086a18 node-v25.8.2-darwin-arm64.tar.xz +530ffb419789f843215375a65b8fcf4cf010735e99276f512a241a31ba8e5e13 node-v25.8.2-darwin-x64.tar.gz +16ccd800deb1a3de28cc71c77226608aa6dc380f86609fd810be3b60a3da1460 node-v25.8.2-darwin-x64.tar.xz +0592acd2a654d1c03360827774b3106453044b42b6d56cc70898f8edf7ac253d node-v25.8.2-headers.tar.gz +15ccf7adaff8a2d665fd2e7e32c0c106231eeb4bee2fe493e8a829701da60512 node-v25.8.2-headers.tar.xz +2f823ecd4f9331d6492fedbe50c5a610be3084521f3a5af146875e00a52f2e63 node-v25.8.2-linux-arm64.tar.gz +b7e8e0c9d48b6d9a43cf6e8d3960127473db001d60e964cb5e955e95603666eb node-v25.8.2-linux-arm64.tar.xz +8910cb32177b689620282859ce19a2c0285e55eeedef4854ff9af3da3bb54b5e node-v25.8.2-linux-ppc64le.tar.gz +6eda60bf124af0469be1045def9e1421c389ca0e2a67ab93834c5d7a41ed7f8f node-v25.8.2-linux-ppc64le.tar.xz +71af59d9a2e40cee6740084c40ae28138eff4d5fbf1ba81dbc729dffc5c71f7c node-v25.8.2-linux-s390x.tar.gz +fcd6dcc95564e293762b81699ee4614d0d867a26614a6549600b28751910834f node-v25.8.2-linux-s390x.tar.xz +e06c7069012d40914c57b31157c69d4ce83ea1fe9d63bbb7d26e0509a4535d21 node-v25.8.2-linux-x64.tar.gz +13a4c88c391aade2b7afba799ff27d09773b04e8a6c27f52908f79ff0e3787f5 node-v25.8.2-linux-x64.tar.xz +e850a0f2ff0fc8ffd93218ef0a5bf9d5e2ddaab50a3953d3676662584534fb93 node-v25.8.2-win-arm64.7z +a08e817d3ca86e065898c7d926f9c0c9a6d812ac9888f7f7cfd8c147ee8cbb29 node-v25.8.2-win-arm64.zip +e50bc4b23c85eeaa782423846c837fdd613dfb4cf5acf7841ca1048b4c66372b node-v25.8.2-win-x64.7z +51815d5b0256b947d27d614de04060fcfdbdb830d2c86e63e6f33dbf7964cca7 node-v25.8.2-win-x64.zip +176cc1d25eaacf1d8058bc319214ca156a4ad7b985d5ae0f239dbc26aa42ffd5 node-v25.8.2-x64.msi +90b364d8d6e6faabe13525c107f626cbfd69b9536aa87c5f2997ad81461b4fe6 node-v25.8.2.pkg +10335f268f7ffacd4f2b4f48d91dc5b19b1577a2861248ca414614ea24ebee65 node-v25.8.2.tar.gz +3efb19e757dc59bb21632507200d2de782369d5226a68955e9372c925fdf2471 node-v25.8.2.tar.xz +4c82a15e4af72881f8f4942506da1b56f2c4b2095924d8442de9f0ad96727834 win-arm64/node.exe +47750ee99207e5b621671565852cf7385f27bf664470886b9437137342a497c9 win-arm64/node.lib +2ed75e3a7fe8a85aa034c7c9c009bab8d65ce08722f5ab9c3bb3c5588ff6798d win-arm64/node_pdb.7z +e9e90a2fcf1db28870dbb9750326892e9574130602ab6114d1504d4219763d62 win-arm64/node_pdb.zip +f8d22c62786c547dc76b15c744e86c0ac1fe9dc38f2e0610dbad4d2b223a4544 win-x64/node.exe +f7201b932d898bdbf78aee7add288d2263c4791f1502068ad11b6c14675c6324 win-x64/node.lib +28288d282ef8043712bc227d43c475a4b60f42b6a1cd8007954e785e5220550c win-x64/node_pdb.7z +9c82e8c3931b46b7b975c41246e097d8980a68ea020e69ca9ad685b53179bbb6 win-x64/node_pdb.zip +-----BEGIN PGP SIGNATURE----- + +iQGzBAEBCAAdFiEEiQwI24V5Fi/uDfnbi+q0389VXvQFAmnC9sAACgkQi+q0389V +XvS4Ugv/Y074JLw5sr2pwbNhqLJCT2Jq7IHvYcOSsZ7VRIbmkOajhYKkVY9bKmoj +ELdk1qpkQYYH1cEEE7YRBqJGwEVChLu//GgvnLgwopR0QRn4Si+2EuSUYUmBXkAx +nLAHthd6HgSVF0A61jsNiTNlyS3tSkubfSGo82OuBMFtiD6n8A5ilgT4zeG+7ydB +tFv+jL5FevUdmYxC7rglSjdrZ/J/uyh2VGnbh1BOwdKSirYrMTEzvpJpX+v4lXHe +vlqvY2KIgR9g4f0pMMqZQ6Gx4MTfXfZYWPajLkHgdtMVe1Bsc82hfWwbHpzcCQFT +j5E0L1HzEC+ornLuv6o+muyX6Yj2weDNhfpIPQWARchcSgKrHZiG3yeEzlj0HLm6 +mn+rDRVLSqK8FwERn/rxHCUZHBzfupF2970a3APB6fXwYXt4u94qCpFsRthoJeA+ +GZ+elk0wLrKpwZs8bnz00RSAfqZ9Uy8PKGGVlelahE4mhjxHs7SbjC381xAwsAVC +LCDG1U7a +=8GXb +-----END PGP SIGNATURE----- +```