← Back to feed
Security patch:
nodejs/node v20.20.2: 2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito
GitHub·Backend·SecurityFix·3/24/2026
This is a security release. ### Notable Changes * (CVE-2026-21717) fix array index hash collision (Joyee Cheung) * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matt
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
nodenode.js
View original source ↗Source payload preview
{
"id": 300877386,
"url": "https://api.github.com/repos/nodejs/node/releases/300877386",
"body": "\r\n\r\nThis is a security release.\r\n\r\n### Notable Changes\r\n\r\n* (CVE-2026-21717) fix array index hash collision (Joyee Cheung)\r\n* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)\r\n* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)\r\n* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>\r\n* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)\r\n* (CVE-2026-21714) handle NGHTTP2\\_ERR\\_FLOW\\_CONTROL error code (RafaelGSS)\r\n* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)\r\n\r\n### Commits\r\n\r\n* \\[[`cfb51fa9ce`
…