Node v20.20.0 nsolid v6.2.0 release #411
Merged
+59,000
−43,120
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PR-URL: nodejs-private/node-private#792 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Wrap pskCallback and ALPNCallback invocations in try-catch blocks to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This prevents remote attackers from crashing TLS servers or causing resource exhaustion. Fixes: https://hackerone.com/reports/3473882 PR-URL: nodejs-private/node-private#782 PR-URL: nodejs-private/node-private#796 Reviewed-By: Matteo Collina <[email protected]> CVE-ID: CVE-2026-21637
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:
```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```
PR-URL: nodejs-private/node-private#797
Fixes: nodejs/node#44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
CVE-ID: CVE-2025-59465
Refs: https://hackerone.com/reports/3390084 PR-URL: nodejs-private/node-private#748 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> CVE-ID: CVE-2025-55132 PR-URL: nodejs-private/node-private#802 Reviewed-By: Rafael Gonzaga <[email protected]> CVE-ID: CVE-2025-55132
Refs: https://hackerone.com/reports/3417819 PR-URL: nodejs-private/node-private#760 Reviewed-By: Matteo Collina <[email protected]> CVE-ID: CVE-2025-55130 Signed-off-by: RafaelGSS <[email protected]>
PR-URL: nodejs/node#60997 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]>
When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. The implementation adds IsStackOverflowError() helper to detect stack overflow RangeErrors and re-throws them in TryCatchScope destructor instead of calling FatalException. This fixes the issue where async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. Fixes: nodejs/node#37989 Ref: https://hackerone.com/reports/3456295 PR-URL: nodejs-private/node-private#773 Refs: https://hackerone.com/reports/3456295 Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> CVE-ID: CVE-2025-59466
This removes the zero-fill toggle mechanism that allowed JavaScript to control ArrayBuffer initialization via shared memory. Instead, unsafe buffer creation now uses a dedicated C++ API. Refs: https://hackerone.com/reports/3405778 Co-Authored-By: Rafael Gonzaga <[email protected]> Co-Authored-By: Joyee Cheung <[email protected]> Signed-off-by: RafaelGSS <[email protected]> PR-URL: nodejs-private/node-private#759 Backport-PR-URL: nodejs-private/node-private#799 CVE-ID: CVE-2025-55131
This is a security release. Notable changes: lib: * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802 * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#799 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796 PR-URL: nodejs-private/node-private#804
PR-URL: #388 Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: #389 Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: #390 Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: #398 Reviewed-By: Rafael Gonzaga <[email protected]>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Comment |
santigimeno
force-pushed
the
node-v20.20.0-nsolid-v6.2.0-release
branch
2 times, most recently
from
3b2afaf to
e843e19
Compare
Only grpc insecure connections were being used in the tests. Also, these new tests allow to cover for the untested `NSOLID_GRPC_CERTS` env variable. PR-URL: #406 Reviewed-By: Rafael Gonzaga <[email protected]>
santigimeno
force-pushed
the
node-v20.20.0-nsolid-v6.2.0-release
branch
2 times, most recently
from
07a3bee to
7b07615
Compare
By setting the `NSOLID_GRPC_KEYLOG` to a truthy value, a new keylog file will be generated that should allow us to decrypt the TLS v1.3 connections gRPC Agent uses. Very useful to debug issues on production. The file will be generated in the current working directory with the following format: `nsolid-tls-keylog-<process_pid>.log`. PR-URL: #406 Reviewed-By: Rafael Gonzaga <[email protected]>
Don't set `OtlpGrpcClientOptions.use_ssl_credentials` when also setting `OtlpGrpcClientOptions.credentials`.
Specifically in `EnvInst::CustomCommandReqWeakCallback()` when trying to access `EnvInst` associated with the `Isolate`. Observed when load-testing the `test/addons/nsolid-custom-command` test.
2026-01-13 Node.js v20.20.0 'Iron' (LTS) Release Git-EVTag-v0-SHA512: cdb446d8763ad7b8cb7936ffc4a4c392dc3aa4fc1c0f08b49d2ddd3aa4ed0f670666998daebb164282e9856047b2b94c102233056d8d6827dbc8a4af2b72ed21
santigimeno
force-pushed
the
node-v20.20.0-nsolid-v6.2.0-release
branch
from
7b07615 to
8200bc0
Compare
santigimeno
force-pushed
the
node-v20.20.0-nsolid-v6.2.0-release
branch
from
8200bc0 to
a8a890f
Compare
santigimeno
force-pushed
the
node-v20.20.0-nsolid-v6.2.0-release
branch
from
a8a890f to
2981454
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.