Download Latest Version
2026-04-01, Version 25.9.0 (Current), @aduh95 source code.tar.gz (131.2 MB)
Get an email when there's a new version of Node.js
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| 2026-03-24, Version 25.8.2 (Current), @RafaelGSS source code.tar.gz | 2026-03-24 | 131.1 MB | |
| 2026-03-24, Version 25.8.2 (Current), @RafaelGSS source code.zip | 2026-03-24 | 158.6 MB | |
| README.md | 2026-03-24 | 4.4 kB | |
| Totals: 3 Items | 289.6 MB | 16 | |
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21711) include permission check to
pipe_wrap.cc(RafaelGSS) - Medium - (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/issues/834) - [
0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/issues/822) - [
2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216 - [
2feea5bb97] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/issues/821) - [
5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) [nodejs-private/node-private#820](https://github.com/nodejs-private/node-private/issues/820) - [
04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/issues/795) - [
9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/issues/794) - [
d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/issues/832) - [
45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/issues/816) - [
4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/issues/819)
