January 2026 Node.js Security Release: Patch Now

The January 2026 Node.js security release is live, and it hits every supported branch. If you’re on 20.x, 22.x, 24.x, or 25.x, you need to move. This Node.js security release ships fixes for eight CVEs (three high, four medium, one low) and updates dependencies like c‑ares and undici across all active lines. Build artifacts are out as 20.20.0, 22.22.0, 24.13.0, and 25.3.0. (nodejs.org)

Here’s the thing: this isn’t a “patch when convenient” release. If your stack uses React Server Components, Next.js request context, or APM tooling like Datadog/New Relic/OpenTelemetry—anything that turns on async_hooks—one of the patched issues can crash your process in ways try/catch and uncaughtException won’t save. The Node team published a deep mitigation note because the failure mode is subtle but very real in production. (nodejs.org)

What changed in the January 13 security drop?

On January 13, 2026, the Node.js project published coordinated security releases for all active lines, addressing three high, four medium, and one low severity issues. Packages undici and c‑ares were upgraded across the board. Releases are: 20.20.0 (Iron LTS), 22.22.0 (Jod LTS), 24.13.0 (Krypton LTS), and 25.3.0 (Current). (nodejs.org)

• High: Buffer/TypedArray zero‑fill race when using vm timeouts (CVE‑2025‑55131) can leak in‑process secrets or corrupt data. (nodejs.org)
• High: Permission model symlink handling could bypass allow‑read/allow‑write (CVE‑2025‑55130). (nodejs.org)
• High: HTTP/2 malformed HEADERS frames can crash servers via unhandled TLSSocket errors (CVE‑2025‑59465). (nodejs.org)
• Medium: Stack overflow with async_hooks becomes uncatchable, terminating the process (CVE‑2025‑59466)—the mitigation is in these releases, and the Node team explains the nuance. (nodejs.org)
• Medium: TLS callback exception paths could bypass error handlers causing DoS/FD leaks (CVE‑2026‑21637). (nodejs.org)
• Medium: Permission model holes around Unix domain sockets on v25 (CVE‑2026‑21636). (nodejs.org)
• Low: futimes() ignored read‑only expectations under the permission model (CVE‑2025‑55132). (nodejs.org)

If you want the release‑line specifics, the project published versioned notes for 24.13.0 and 25.3.0 (LTS and Current), along with 22.22.0 and 20.20.0—each lists the exact changes and dependency bumps. (nodejs.org)

Does this affect React/Next.js and APM users more?

Yes, disproportionately. React Server Components and Next.js use AsyncLocalStorage, which sits on async_hooks. APM tools (Datadog, New Relic, Dynatrace, Elastic, OpenTelemetry) also enable async_hooks to track request context. Under deep recursion or attacker‑controlled inputs that blow the stack, Node would sometimes exit immediately with code 7—without a recoverable RangeError. The mitigation shipped here makes that behavior more consistent, but the root problem is architectural: you can’t depend on unspecified stack‑overflow recovery for availability. Bound recursion and validate inputs instead. (nodejs.org)

If you maintain a Next.js app, patch Node and keep your framework up to date. If you’re mid‑migration, our practical guide to React 19 changes is a useful companion when you revisit your server rendering and request context code paths. React 19 migration checklist.

Quick 90‑minute upgrade plan

Let’s get practical. Ship this today, even if you’re staring down a release freeze.

0–15 minutes: Identify and stage

• Inventory your Node lanes (API, workers, SSR, edge adapters). Note current versions by environment and by container image tag.
• Decide your target: on LTS? Jump to 24.13.0 or 22.22.0; on Current? 25.3.0; still on 20? It’s supported, but plan to move—Node 20 reaches EOL on April 30, 2026, and GitHub Actions switches the default runtime to Node 24 on March 4, 2026. (github.blog)
• Fetch the right binaries or base images; don’t forget alpine/debian variants for Docker. Notes and SHASUMs are on the official release pages. (nodejs.org)

15–45 minutes: Upgrade and test

• Local/CI: bump the runtime (nvm, asdf, volta, or container base). Reinstall dependencies to rebuild native modules.
• Run your security and protocol suites: HTTP/2 tests, TLS termination paths, file‑system permission tests if you use the permission model. Validate that error handlers on sockets are attached and exercised.
• Run your performance canaries with APM enabled, not disabled—async_hooks behavior matters.
• If you expose external links or payments in mobile apps, align server deploys with your app store deadlines; our Google Play and App Store field guides help teams coordinate cross‑platform releases under policy pressure. Play external links checklist and App Store age ratings tips.

45–90 minutes: Roll out safely

• Blue/green or canary to 5–10% of traffic. Watch error rates and memory curves for HTTP/2 and TLS handshakes.
• Scale to 50%, then 100% if stable for 15–30 minutes. Keep a rollback pinned to your previous Node image.
• Close the loop: annotate your APM timeline with “Node upgrade” so future incidents correlate cleanly.

How the high‑severity bugs show up in real life

CVE‑2025‑55131: Buffer.alloc and Uint8Array not fully zero‑filled

Under certain timeout and vm module conditions, allocations that should be zero‑initialized may surface stale memory contents. In practice, the riskiest scenarios are worker‑heavy apps that run untrusted or timing‑sensitive code (e.g., templating, plugins, or data transforms) and expect crisp memory isolation. Treat this as a confidentiality risk: tokens, session fragments, or prior request data could appear in fresh buffers. Patch the runtime; there’s no reliable application‑level band‑aid. (nodejs.org)

CVE‑2025‑59465: HTTP/2 HEADERS crash path

A malformed HEADERS frame can trigger an unhandled TLSSocket error and crash the process, a classic remote DoS when your server accepts HTTP/2. The fix wires a default error handler in the right place. Meanwhile, verify you attach socket‑level error handlers in your code and scrutinize HTTP/2 exposure behind your load balancer. (nodejs.org)

// good hygiene: always attach error handlers
server.on('secureConnection', (socket) => {
  socket.on('error', (err) => {
    // log, metrics, circuit break
  });
});

CVE‑2025‑55130/55132 and CVE‑2026‑21636: Permission model realities

Node’s permission model is improving but still evolving. Two fixes tighten file‑system boundaries (symlink APIs now require full read/write) and rein in futimes() behavior under read‑only expectations. Another closes a gap allowing Unix domain socket connections to sidestep allow‑net. If you’re betting on the permission model for sandboxing, keep it on current LTS and test with realistic path/symlink matrices. (nodejs.org)

“People also ask”

Is it safe to delay installing this Node.js security release?

If your app uses React Server Components, Next.js, or APM that enables async_hooks, no. The stack‑overflow crash mitigation alone justifies a quick rollout—you can’t count on catching RangeError in those paths, and the Node team explicitly calls out the ecosystem risk. (nodejs.org)

Which version should I choose—22 LTS, 24 LTS, or 25 Current?

For most production backends, 24 LTS (24.13.0) is the clean target today. If you’re standardized on 22 LTS, 22.22.0 is fine. If you’re on 20, schedule a migration because 20 hits EOL on April 30, 2026; GitHub Actions will default to Node 24 on March 4, 2026, which can surprise CI/CD if you hard‑pin engines. (nodejs.org)

Do I need to redeploy if I’m on serverless or managed PaaS?

Yes—verify the platform’s runtime layer. Many PaaS images lag a few days. If you specify a major line only (e.g., 24.x), roll forward to the patched minor explicitly or bump your base image.

Hardening checklist for Node teams

Use this to turn a reactive upgrade into durable risk reduction.

• Runtime currency: lock to 24.13.0 (or your chosen LTS) explicitly in Dockerfiles and buildpack configs; don’t depend on “latest”. (nodejs.org)
• HTTP/2 posture: if you don’t need it, turn it off at the edge. If you do, ensure socket error handlers are present and monitored. (nodejs.org)
• Permission model drills: write tests that create chained symlinks, relative paths, and UDS endpoints; assert failures from disallowed reads/writes/connects on CI. (nodejs.org)
• Stack‑depth guards: validate and cap recursion depth on any user‑controlled structures (e.g., JSON). Avoid recursive algorithms on untrusted data when you can. (nodejs.org)
• APM parity tests: run load with APM enabled. If your only green tests are “APM‑off,” you’re testing the wrong system. (nodejs.org)
• Incident hygiene: add alerts on process exits with code 7 and on sudden HTTP/2 session resets; annotate deploys so responders can connect dots faster.

Rollout notes by environment

Containers and orchestration

Use digest‑pinned base images so you know exactly which Node you’ve built. Roll through canary Deployments/ReplicaSets and keep a rollback image available. For mixed fleets (Debian + Alpine), patch both variants; undici and c‑ares updates are present across release lines, so expect slightly different binary sizes and checksums. (nodejs.org)

CI/CD and GitHub Actions

If your workflows rely on the default runtime, note the timeline: GitHub will move actions to Node 24 by default on March 4, 2026. Set a forced runtime now (FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true) to preview the change, or opt‑out temporarily if you must—but plan to migrate, because Node 20’s EOL is April 30, 2026. (github.blog)

OS patch cadence matters too

Runtime patches and OS patches travel together in real incidents. If your Windows or Linux images are a patch cycle behind, you’re carrying unnecessary risk. We publish monthly triage that helps teams decide what to fix first; use it to pair your Node rollout with OS updates this week. January Patch Tuesday: what to fix first.

A minimal test harness you can copy

Before going to 100% traffic, run these quick checks in staging:

• HTTP/2 fuzz: send malformed header frames (or a harness that simulates them) and verify the server degrades gracefully, logs correctly, and stays up. (nodejs.org)
• Stack‑overflow probe: feed deeply nested JSON to a test endpoint with AsyncLocalStorage active (APM on), confirm you now get a recoverable error/controlled failure rather than an instant exit. (nodejs.org)
• Permission model tripwires: stand up a script that tries chained symlink escapes and UDS connects; ensure your policy blocks them on the patched runtime. (nodejs.org)

What to do next

• Upgrade Node everywhere you run it: 24.13.0 or 22.22.0 for LTS shops; 25.3.0 if you track Current; 20.20.0 if you’re still on 20—then plan your migration off 20 before April 30. (nodejs.org)
• Attach socket error handlers and verify them in tests; measure HTTP/2 behavior under stress. (nodejs.org)
• Audit recursion and parsing code; add depth limits on user‑controlled structures. (nodejs.org)
• Exercise the permission model in CI with symlinks and UDS attempts; treat it as defense‑in‑depth, not your only sandbox. (nodejs.org)
• Align your CI/CD with the GitHub Actions runtime shift to Node 24 in March so you’re not surprised mid‑sprint. (github.blog)
• If you need a second set of eyes on the rollout or want us to harden your test harness, talk to our team. We ship this stuff weekly.

If you’re juggling mobile deadlines at the same time (Play external links or age‑rating changes), we’ve written condensed, decision‑ready guides so server and app teams can ship in lockstep. Start here: Play external links: ship the 2026 playbook.

Zooming out, this release is another reminder that availability isn’t just about catching exceptions. It’s about understanding where your runtime’s guarantees end—and designing your system so untrusted inputs can’t push it off a cliff. Patch fast, test the failure paths that really matter, and write down what you learned so the next upgrade is muscle memory, not a fire drill.

If you want a punchier, step‑by‑step patch list to hand to your on‑call right now, bookmark our short take: Node.js security release: what to patch today. Then, if you’re planning a larger security sprint, see how we partner with teams to harden CI/CD, reduce time‑to‑patch, and ship with confidence: what we do.