Download Latest Version
2026-04-01, Version 25.9.0 (Current), @aduh95 source code.tar.gz (131.2 MB)
Get an email when there's a new version of Node.js
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| 2026-03-24, Version 24.14.1 _Krypton_ (LTS), @RafaelGSS prepared by @juanarbol source code.tar.gz | 2026-03-24 | 126.4 MB | |
| 2026-03-24, Version 24.14.1 _Krypton_ (LTS), @RafaelGSS prepared by @juanarbol source code.zip | 2026-03-24 | 152.6 MB | |
| README.md | 2026-03-24 | 5.2 kB | |
| Totals: 3 Items | 279.0 MB | 3 | |
This is a security release.
Notable Changes
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
Commits
- [
6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/issues/828) - [
cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/issues/822) - [
80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
3dab3c4698] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/issues/828) - [
045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/issues/828) - [
af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/issues/828) - [
380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/issues/821) - [
d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/issues/795) - [
bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/issues/794) - [
c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/issues/832) - [
cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/issues/816) - [
df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/issues/819)
