← Back to feed
Security patch:
nodejs/node v24.14.1: 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol
GitHub·Backend·SecurityFix·3/24/2026
This is a security release. ### Notable Changes * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High * (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High * (CVE-2026-21717) test array index hash collision (Joyee Cheung
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
nodenode.js
View original source ↗Source payload preview
{
"id": 300880328,
"url": "https://api.github.com/repos/nodejs/node/releases/300880328",
"body": "\n\n\nThis is a security release.\n\n### Notable Changes\n\n* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High\n* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High\n* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium\n* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium\n* (CVE-2026-21714) handle NGHTTP2\\_ERR\\_FLOW\\_CONTROL error code (RafaelGSS) - Medium\n* (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium\n* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low\n* (CVE-2026-217
…