Node.js January 2026 Security Release - finally published after repeated delays
Contents
On January 13, 2026 local time, the long-awaited Node.js security release was finally published. It had originally been scheduled for December 15, 2025, but was delayed repeatedly because patch development was taking longer than expected, year-end and New Year holidays intervened, and CI testing problems kept coming up.
Delay Timeline
| Date | Status |
|---|---|
| 2025/12/15 | Original target date. Delayed to 12/18 because patch development was taking longer than expected |
| 2025/12/18 | Delayed again to 1/7 after considering the year-end holiday period |
| 2026/01/07 | CI tests were still incomplete, so it was pushed to 1/8 |
| 2026/01/08 | Delayed to 1/13 to avoid the weekend in the Asia-Pacific region |
| 2026/01/13 | Release |
Affected Versions
- Node.js 25.x (Current)
- Node.js 24.x
- Node.js 22.x (LTS)
- Node.js 20.x (LTS)
Note: Node.js 18.x and earlier are end-of-life, so they are not patched. If you are still on v18, upgrading to v22 is recommended.
Vulnerability Details
HIGH: 3 issues
CVE-2025-55131: Buffer.alloc can return uninitialized memory
When using the timeout option in the vm module, timing conditions may cause Buffer.alloc or Uint8Array to include uninitialized memory.
Impact: Sensitive data such as tokens and passwords could be exposed.
CVE-2025-55130: Symbolic links can bypass file system permissions
Carefully crafted symbolic links can be used to bypass the --allow-fs-read and --allow-fs-write restrictions.
Impact: Arbitrary file reads and writes become possible.
CVE-2025-59465: HTTP/2 server crash
An invalid HTTP/2 HEADERS frame can trigger a TLSSocket error (ECONNRESET) and crash the process.
Impact: Remote denial of service is possible.
MEDIUM: 4 issues
| CVE | Summary |
|---|---|
| CVE-2025-59466 | When async_hooks.createHook() is enabled, stack overflow errors become uncaught and can crash the process |
| CVE-2025-59464 | socket.getPeerCertificate(true) leaks memory from X.509 certificate fields, leading to DoS through memory exhaustion |
| CVE-2026-21636 | UDS connections are still possible even with the Permission Model enabled (25.x only) |
| CVE-2026-21637 | Exceptions in TLS PSK/ALPN callbacks bypass the error handler, causing DoS and file descriptor leaks |
LOW: 1 issue
| CVE | Summary |
|---|---|
| CVE-2025-55132 | fs.futimes() can change file timestamps even with read-only permissions |
Dependency Updates
- c-ares 1.34.6
- undici 6.23.0 / 7.18.0
Impact on Static Sites such as Astro and Next.js
For static site generators, Node.js is used only at build time. In production, the site is hosted by platforms such as Vercel, so server-crash vulnerabilities related to HTTP/2 or TLS do not directly affect the live site.
That said, it is still best to keep the Node.js version used in your development environment up to date.
# If you use nvm
nvm install 22
nvm use 22
nvm alias default 22
# Check the version
node -v