Skip to content

Commit eb77496

Browse files
committed
2026-06-18, Version 22.23.0 'Jod' (LTS)
This is a security release. Notable changes: * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium * (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium * (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low * (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low * (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low PR-URL: nodejs-private/node-private#898
1 parent 38b4c5e commit eb77496

6 files changed

Lines changed: 61 additions & 9 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@ release.
3737
</tr>
3838
<tr>
3939
<td valign="top">
40-
<b><a href="doc/changelogs/CHANGELOG_V22.md#22.22.3">22.22.3</a></b><br/>
40+
<b><a href="doc/changelogs/CHANGELOG_V22.md#22.23.0">22.23.0</a></b><br/>
41+
<a href="doc/changelogs/CHANGELOG_V22.md#22.22.3">22.22.3</a><br/>
4142
<a href="doc/changelogs/CHANGELOG_V22.md#22.22.2">22.22.2</a><br/>
4243
<a href="doc/changelogs/CHANGELOG_V22.md#22.22.1">22.22.1</a><br/>
4344
<a href="doc/changelogs/CHANGELOG_V22.md#22.22.0">22.22.0</a><br/>

doc/api/deprecations.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3863,7 +3863,7 @@ an internal nodejs implementation rather than a public facing API, use `node:str
38633863

38643864
<!-- YAML
38653865
changes:
3866-
- version: REPLACEME
3866+
- version: v22.23.0
38673867
pr-url: https://github.com/nodejs/node/pull/58293
38683868
description: End-of-Life.
38693869
- version: v22.17.0

doc/api/errors.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1726,7 +1726,7 @@ as specified through the `maxSessionInvalidFrames` option, has been exceeded.
17261726
### `ERR_HTTP2_TOO_MANY_ORIGINS`
17271727

17281728
<!-- YAML
1729-
added: REPLACEME
1729+
added: v22.23.0
17301730
-->
17311731

17321732
The number of uniq origin sent by the server has exceeded the value defined in

doc/api/http2.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1071,7 +1071,7 @@ The `'origin'` event is only emitted when using a secure TLS connection.
10711071
<!-- YAML
10721072
added: v8.4.0
10731073
changes:
1074-
- version: REPLACEME
1074+
- version: v22.23.0
10751075
pr-url: https://github.com/nodejs/node/pull/58293
10761076
description: The `weight` option is now ignored, setting it will trigger a
10771077
runtime warning.
@@ -1468,7 +1468,7 @@ numeric stream identifier.
14681468
added: v8.4.0
14691469
deprecated: v22.17.0
14701470
changes:
1471-
- version: REPLACEME
1471+
- version: v22.23.0
14721472
pr-url: https://github.com/nodejs/node/pull/58293
14731473
description: This method no longer sets the priority of the stream. Using it
14741474
now triggers a runtime warning.
@@ -1574,7 +1574,7 @@ req.setTimeout(5000, () => req.close(NGHTTP2_CANCEL));
15741574
<!-- YAML
15751575
added: v8.4.0
15761576
changes:
1577-
- version: REPLACEME
1577+
- version: v22.23.0
15781578
pr-url: https://github.com/nodejs/node/pull/58293
15791579
description: The `state.weight` property is now always set to 16 and
15801580
`sumDependencyWeight` is always set to 0.

doc/changelogs/CHANGELOG_V22.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
</tr>
1010
<tr>
1111
<td>
12+
<a href="#22.23.0">22.23.0</a><br/>
1213
<a href="#22.22.3">22.22.3</a><br/>
1314
<a href="#22.22.2">22.22.2</a><br/>
1415
<a href="#22.22.1">22.22.1</a><br/>
@@ -71,6 +72,56 @@
7172
* [io.js](CHANGELOG_IOJS.md)
7273
* [Archive](CHANGELOG_ARCHIVE.md)
7374

75+
<a id="22.23.0"></a>
76+
77+
## 2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95
78+
79+
This is a security release.
80+
81+
### Notable Changes
82+
83+
* (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
84+
* (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
85+
* (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
86+
* (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
87+
* (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
88+
* (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
89+
* (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
90+
* (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
91+
* (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
92+
* (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
93+
* (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
94+
95+
### Commits
96+
97+
* \[[`38b4c5ed51`](https://github.com/nodejs/node/commit/38b4c5ed51)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878)
98+
* \[[`ad8a10c1bb`](https://github.com/nodejs/node/commit/ad8a10c1bb)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890)
99+
* \[[`ca825a87cc`](https://github.com/nodejs/node/commit/ca825a87cc)] - **deps**: update undici to 6.27.0 (aduh95) [#63711](https://github.com/nodejs/node/pull/63711)
100+
* \[[`a1a5bb9683`](https://github.com/nodejs/node/commit/a1a5bb9683)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#62891](https://github.com/nodejs/node/pull/62891)
101+
* \[[`0f48583512`](https://github.com/nodejs/node/commit/0f48583512)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#62891](https://github.com/nodejs/node/pull/62891)
102+
* \[[`38c869fc05`](https://github.com/nodejs/node/commit/38c869fc05)] - **deps**: update nghttp2 to 1.68.0 (nodejs-github-bot) [#61136](https://github.com/nodejs/node/pull/61136)
103+
* \[[`290667c84f`](https://github.com/nodejs/node/commit/290667c84f)] - **deps**: update nghttp2 to 1.67.1 (nodejs-github-bot) [#59790](https://github.com/nodejs/node/pull/59790)
104+
* \[[`c9f3da76aa`](https://github.com/nodejs/node/commit/c9f3da76aa)] - **deps**: update nghttp2 to 1.66.0 (Node.js GitHub Bot) [#58786](https://github.com/nodejs/node/pull/58786)
105+
* \[[`60890be563`](https://github.com/nodejs/node/commit/60890be563)] - **deps**: update nghttp2 to 1.65.0 (Node.js GitHub Bot) [#57269](https://github.com/nodejs/node/pull/57269)
106+
* \[[`5024c7d5d8`](https://github.com/nodejs/node/commit/5024c7d5d8)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820)
107+
* \[[`7f4eb5af2e`](https://github.com/nodejs/node/commit/7f4eb5af2e)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820)
108+
* \[[`ebb4ec78a8`](https://github.com/nodejs/node/commit/ebb4ec78a8)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#62656](https://github.com/nodejs/node/pull/62656)
109+
* \[[`5763d40826`](https://github.com/nodejs/node/commit/5763d40826)] - **deps**: update llhttp to 9.4.1 (Node.js GitHub Bot) [#63045](https://github.com/nodejs/node/pull/63045)
110+
* \[[`c551a51d0c`](https://github.com/nodejs/node/commit/c551a51d0c)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868)
111+
* \[[`0a22d40180`](https://github.com/nodejs/node/commit/0a22d40180)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846)
112+
* \[[`c79968e108`](https://github.com/nodejs/node/commit/c79968e108)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855)
113+
* \[[`0c37bff2ff`](https://github.com/nodejs/node/commit/0c37bff2ff)] - **http2**: fix DEP0194 message (KaKa) [#58669](https://github.com/nodejs/node/pull/58669)
114+
* \[[`ea5dc6b529`](https://github.com/nodejs/node/commit/ea5dc6b529)] - **(SEMVER-MAJOR)** **http2**: remove support for priority signaling (Matteo Collina) [#58293](https://github.com/nodejs/node/pull/58293)
115+
* \[[`9b6af26132`](https://github.com/nodejs/node/commit/9b6af26132)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867)
116+
* \[[`28dcd38864`](https://github.com/nodejs/node/commit/28dcd38864)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873)
117+
* \[[`2f62693801`](https://github.com/nodejs/node/commit/2f62693801)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870)
118+
* \[[`1662a3ea09`](https://github.com/nodejs/node/commit/1662a3ea09)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
119+
* \[[`718d5d0e2c`](https://github.com/nodejs/node/commit/718d5d0e2c)] - **test**: skip `test-fs-utimes-y2K38` on armv7 (Richard Lau) [#63836](https://github.com/nodejs/node/pull/63836)
120+
* \[[`041185b61f`](https://github.com/nodejs/node/commit/041185b61f)] - **test**: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) [#62238](https://github.com/nodejs/node/pull/62238)
121+
* \[[`fd890ba01d`](https://github.com/nodejs/node/commit/fd890ba01d)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
122+
* \[[`39d1d09684`](https://github.com/nodejs/node/commit/39d1d09684)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857)
123+
* \[[`2197a47144`](https://github.com/nodejs/node/commit/2197a47144)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869)
124+
74125
<a id="22.22.3"></a>
75126

76127
## 2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolito

src/node_version.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,13 @@
2323
#define SRC_NODE_VERSION_H_
2424

2525
#define NODE_MAJOR_VERSION 22
26-
#define NODE_MINOR_VERSION 22
27-
#define NODE_PATCH_VERSION 4
26+
#define NODE_MINOR_VERSION 23
27+
#define NODE_PATCH_VERSION 0
2828

2929
#define NODE_VERSION_IS_LTS 1
3030
#define NODE_VERSION_LTS_CODENAME "Jod"
3131

32-
#define NODE_VERSION_IS_RELEASE 0
32+
#define NODE_VERSION_IS_RELEASE 1
3333

3434
#ifndef NODE_STRINGIFY
3535
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

0 commit comments

Comments
 (0)