Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')
PR-URL: https://github.com/nodejs-private/node-private/pull/629
Refs: https://hackerone.com/reports/2575105
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
CVE-ID: CVE-2025-23083
Without this patch, on Windows, normalizing a relative path might result
in a path that Windows considers absolute. In rare cases, this might
lead to path traversal vulnerabilities in user code.
We attempt to detect those cases and return a relative path instead.
Co-Authored-By: Tobias Nießen <tobias.niessen@tuwien.ac.at>
PR-URL: https://github.com/nodejs-private/node-private/pull/555
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/665
CVE-ID: CVE-2025-23084
This commit fixes a memory leak when the socket is
suddenly closed by the peer (without GOAWAY notification)
and when invalid header (by nghttp2) is identified and the
connection is terminated by peer.
Refs: https://hackerone.com/reports/2841362
PR-URL: https://github.com/nodejs-private/node-private/pull/650
Reviewed-By: James M Snell <jasnell@gmail.com>
CVE-ID: CVE-2025-23085
the section comparing `queueMicrotask()` and `process.nextTick()`
doesn't address the different scheduling behavior that the two
functions have in cjs and esm modules, the section's introductory mjs
example also provides an incorrect output, the changes here address
such by explaining the difference between the two module types and
updating the example accordingly
PR-URL: https://github.com/nodejs/node/pull/56659
Fixes: https://github.com/nodejs/node/issues/45048
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is a security release.
Notable changes:
* CVE-2025-23084 - fix path traversal in normalize() on Windows (Medium)
* CVE-2025-23085 - fix HTTP2 mem leak on premature close and ERR_PROTO
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
(Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/659
This is a security release.
Notable changes:
* CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/664
This is a security release.
Notable changes:
* CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23084: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/655
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
This is a security release.
Notable changes:
* CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23084: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/654
PR-URL: https://github.com/nodejs/node/pull/56619
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56613
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
DEP0040 is an extremely annoying warning. Most of the people
seeing it cannot do anything about it. This commit updates the
warning logic to only emit outside of node_modules. This is
similar to other warnings such as the Buffer() constructor
warning.
Ideally, this should be backported to Node 22.
Refs: https://github.com/nodejs/node/pull/47202
PR-URL: https://github.com/nodejs/node/pull/56632
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56616
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Add return value check for call to SSL_CTX_add_client_CA
to be consistent with other places it is called
Fixed unused warning in one of the static analysis tools we use
at Red Hat even though it is not being reported by coverity in
the configuration we run.
Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/56615
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This simplifies the memory management of ContextifyContext,
making all references visible to V8.
The destructors don't need to do anything because when the wrapper is
going away, the context is already going away or otherwise it would've
been holding the wrapper alive, so there's no need to reset the
pointers in the context. Also, any global handles to the context
would've been empty at this point, and the per-Environment context
tracking code is capable of dealing with empty handles from contexts
purged elsewhere.
To this end, the context tracking code also purges empty handles
from the list now, to prevent keeping too many empty handles around.
PR-URL: https://github.com/nodejs/node/pull/56522
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/56589
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit fixes a crash whenever someone tries to allow access to the
same path twice.
PR-URL: https://github.com/nodejs/node/pull/56591
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
This commit adds a waitFor() method to the TestContext class in
the test runner. As the name implies, this method allows tests to
more easily wait for things to happen.
PR-URL: https://github.com/nodejs/node/pull/56595
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
See #56570
PR-URL: https://github.com/nodejs/node/pull/56574
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Part of the tools/snapshot/README.md is out of date since we
have made more progress on the snapshot integration, so
update it accordingly with some details about the various
snapshots in the snapshot blob.
Also update the section in src/README.md about external
reference registration for clarification.
PR-URL: https://github.com/nodejs/node/pull/56505
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Align the property names `lineNumber` and `columnNumber`.
PR-URL: https://github.com/nodejs/node/pull/56584
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: https://github.com/nodejs/node/pull/56501
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jason Zhang <xzha4350@gmail.com>
Reviewed-By: Qingyu Deng <i@ayase-lab.com>
PR-URL: https://github.com/nodejs/node/pull/56568
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
PR-URL: https://github.com/nodejs/node/pull/56568
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
PR-URL: https://github.com/nodejs/node/pull/56568
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
PR-URL: https://github.com/nodejs/node/pull/56568
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
PR-URL: https://github.com/nodejs/node/pull/56469
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Bryan English <bryan@bryanenglish.com>
PR-URL: https://github.com/nodejs/node/pull/56569
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56567
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
RafaelGSS
Dario Piotrowicz
Shreyans Pathak
islandryu
Meghan Denny
James M Snell
Michaël Zasso
Maksim Gorkov
Colin Ihrig
Node.js GitHub Bot
Michael Dawson
Antoine du Hamel
Joyee Cheung
Marco Ippolito
Pietro Marchini
Jordan Harband
Chengzhong Wu
pacexy
Carlos Espa
Jacob Smith