From 7c13efab4755e9c11585fa80bbf4f28ebc1e9667 Mon Sep 17 00:00:00 2001 From: Create or Update Pull Request Action Date: Thu, 18 Jun 2026 04:38:19 +0000 Subject: [PATCH] feat(blog): create post for v22.23.0 --- apps/site/pages/en/blog/release/v22.23.0.md | 131 ++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 apps/site/pages/en/blog/release/v22.23.0.md diff --git a/apps/site/pages/en/blog/release/v22.23.0.md b/apps/site/pages/en/blog/release/v22.23.0.md new file mode 100644 index 0000000000000..bc0634740f63f --- /dev/null +++ b/apps/site/pages/en/blog/release/v22.23.0.md @@ -0,0 +1,131 @@ +--- +date: '2026-06-18T04:38:19.322Z' +category: release +title: Node.js 22.23.0 (LTS) +layout: blog-post +author: Antoine du Hamel +--- + +## 2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95 + +This is a security release. + +### Notable Changes + +- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High +- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High +- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium +- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium +- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium +- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium +- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium +- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium +- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low +- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low +- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low + +### Commits + +- \[[`38b4c5ed51`](https://github.com/nodejs/node/commit/38b4c5ed51)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) +- \[[`ad8a10c1bb`](https://github.com/nodejs/node/commit/ad8a10c1bb)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) +- \[[`ca825a87cc`](https://github.com/nodejs/node/commit/ca825a87cc)] - **deps**: update undici to 6.27.0 (aduh95) [#63711](https://github.com/nodejs/node/pull/63711) +- \[[`a1a5bb9683`](https://github.com/nodejs/node/commit/a1a5bb9683)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#62891](https://github.com/nodejs/node/pull/62891) +- \[[`0f48583512`](https://github.com/nodejs/node/commit/0f48583512)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#62891](https://github.com/nodejs/node/pull/62891) +- \[[`38c869fc05`](https://github.com/nodejs/node/commit/38c869fc05)] - **deps**: update nghttp2 to 1.68.0 (nodejs-github-bot) [#61136](https://github.com/nodejs/node/pull/61136) +- \[[`290667c84f`](https://github.com/nodejs/node/commit/290667c84f)] - **deps**: update nghttp2 to 1.67.1 (nodejs-github-bot) [#59790](https://github.com/nodejs/node/pull/59790) +- \[[`c9f3da76aa`](https://github.com/nodejs/node/commit/c9f3da76aa)] - **deps**: update nghttp2 to 1.66.0 (Node.js GitHub Bot) [#58786](https://github.com/nodejs/node/pull/58786) +- \[[`60890be563`](https://github.com/nodejs/node/commit/60890be563)] - **deps**: update nghttp2 to 1.65.0 (Node.js GitHub Bot) [#57269](https://github.com/nodejs/node/pull/57269) +- \[[`5024c7d5d8`](https://github.com/nodejs/node/commit/5024c7d5d8)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820) +- \[[`7f4eb5af2e`](https://github.com/nodejs/node/commit/7f4eb5af2e)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820) +- \[[`ebb4ec78a8`](https://github.com/nodejs/node/commit/ebb4ec78a8)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#62656](https://github.com/nodejs/node/pull/62656) +- \[[`5763d40826`](https://github.com/nodejs/node/commit/5763d40826)] - **deps**: update llhttp to 9.4.1 (Node.js GitHub Bot) [#63045](https://github.com/nodejs/node/pull/63045) +- \[[`c551a51d0c`](https://github.com/nodejs/node/commit/c551a51d0c)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) +- \[[`0a22d40180`](https://github.com/nodejs/node/commit/0a22d40180)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) +- \[[`c79968e108`](https://github.com/nodejs/node/commit/c79968e108)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) +- \[[`0c37bff2ff`](https://github.com/nodejs/node/commit/0c37bff2ff)] - **http2**: fix DEP0194 message (KaKa) [#58669](https://github.com/nodejs/node/pull/58669) +- \[[`ea5dc6b529`](https://github.com/nodejs/node/commit/ea5dc6b529)] - **(SEMVER-MAJOR)** **http2**: remove support for priority signaling (Matteo Collina) [#58293](https://github.com/nodejs/node/pull/58293) +- \[[`9b6af26132`](https://github.com/nodejs/node/commit/9b6af26132)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) +- \[[`28dcd38864`](https://github.com/nodejs/node/commit/28dcd38864)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) +- \[[`2f62693801`](https://github.com/nodejs/node/commit/2f62693801)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) +- \[[`1662a3ea09`](https://github.com/nodejs/node/commit/1662a3ea09)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) +- \[[`718d5d0e2c`](https://github.com/nodejs/node/commit/718d5d0e2c)] - **test**: skip `test-fs-utimes-y2K38` on armv7 (Richard Lau) [#63836](https://github.com/nodejs/node/pull/63836) +- \[[`041185b61f`](https://github.com/nodejs/node/commit/041185b61f)] - **test**: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) [#62238](https://github.com/nodejs/node/pull/62238) +- \[[`fd890ba01d`](https://github.com/nodejs/node/commit/fd890ba01d)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) +- \[[`39d1d09684`](https://github.com/nodejs/node/commit/39d1d09684)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) +- \[[`2197a47144`](https://github.com/nodejs/node/commit/2197a47144)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) + +Windows 32-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0-x86.msi \ +Windows 64-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0-arm64.msi \ +Windows 32-bit Binary: https://nodejs.org/dist/v22.23.0/win-x86/node.exe \ +Windows 64-bit Binary: https://nodejs.org/dist/v22.23.0/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v22.23.0/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-aix-ppc64.tar.gz \ +ARMv7 32-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-armv7l.tar.xz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v22.23.0/node-v22.23.0.tar.gz \ +Other release files: https://nodejs.org/dist/v22.23.0/ \ +Documentation: https://nodejs.org/docs/v22.23.0/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +5c595ef33e1b1dcd48128690ab599cf246b51abed470928706edaf56f1d04248 node-v22.23.0-aix-ppc64.tar.gz +d963392c08a9d0f7f1458410a43c8c0e7dd78712f01b5ffa561f00a3044a47ff node-v22.23.0-arm64.msi +e0f383a215dd3093de6d2c74f87056dc2306a2e09ad494cbffdba28f89046f56 node-v22.23.0-darwin-arm64.tar.gz +69a741a8938e3efbd7098ca1681a179f771bc9bbf733a799e9ed81949a602f73 node-v22.23.0-darwin-arm64.tar.xz +dc2ccab261fd70c347e4cc52085d8d226f471ccba1fc2a7252283949b31ca9f9 node-v22.23.0-darwin-x64.tar.gz +c339a9bc031a98bac0dba90f57370ac5ae68e4549045c8f51e740f375a0b8799 node-v22.23.0-darwin-x64.tar.xz +ac07673009b92d70f3d842df28204e92785234bae6b4d5785f63fbca8408fc69 node-v22.23.0-headers.tar.gz +b0a0a71751aa17ac9190a47c34d1439a2118493dcc323c5eae27fb691b8446d9 node-v22.23.0-headers.tar.xz +0c96aa074abd109e0b5da8d10202a9bbcea9bcf9ddb587b20944f71b8f21f8c8 node-v22.23.0-linux-arm64.tar.gz +4018815ac1bed4f18208901bbde524fee881253b591ee7bc952660e69bd057af node-v22.23.0-linux-arm64.tar.xz +2a6ac877b2381711c55178052a6f481171e0964c2f8d33d0cfe36d8e35f1c2c0 node-v22.23.0-linux-armv7l.tar.gz +6f983135f5bbf1bf017686c93bbabcb616473578f75ef43c773c1556b404a50a node-v22.23.0-linux-armv7l.tar.xz +740fa84ba1d3e7f5d3155f9f7b71e2189d2fbba119df0c0c59533dc7e415efe1 node-v22.23.0-linux-ppc64le.tar.gz +864760dde36a03bf0da8f74b511c41a31adae4f50284a20066518775269539aa node-v22.23.0-linux-ppc64le.tar.xz +274c8946cd95bd3b7b586c1bfb35de315836f9e8863e29dd264decc73e652b8a node-v22.23.0-linux-s390x.tar.gz +8c5ba195dff6c11a292ffbe199931c7b52d3f233d25fa908718b99d0e0f9d09d node-v22.23.0-linux-s390x.tar.xz +535eeb608ca1e0b71d49a0e36991d449d5f935fbb04eca61677519b010cd673a node-v22.23.0-linux-x64.tar.gz +14d7de44f235534799f8b171a4050d9a6a4bc99c87e053a25d3d54afa580aa20 node-v22.23.0-linux-x64.tar.xz +e42354513cbee40eba62db30cd8132bbc2a1896c4f6f85483bd67e318c115cc0 node-v22.23.0-win-arm64.7z +8d540a7a1eeb3ff6681f516c47d786964b874acdaa4fd83338d6898bbb4f68a4 node-v22.23.0-win-arm64.zip +b9114632eff5fd061da5ec72656b13e50ca9736af5551f0737f10b26cba2a12b node-v22.23.0-win-x64.7z +425a5bd68cc95e8eb16bcccd0a75081b48983fc6a26f67126bd4d6c7198231e8 node-v22.23.0-win-x64.zip +21ef41b8a7e9904643f813db751d75599ef0c5774845b534ad70c46aa8d0c14c node-v22.23.0-win-x86.7z +28948dbed0828d20cf64aca0a451fa38967214ccb87d02e7048db6398545b0c0 node-v22.23.0-win-x86.zip +aea5493d05c20996a817c45312d9bc8c6b062bfb6737afc2bab542c42fbb8835 node-v22.23.0-x64.msi +87154158fa4ad843e0e03a08c2f7d17b414bbd4a74b1986d7b011403edffd511 node-v22.23.0-x86.msi +62e5eb26a68aadf2458e3a3eaf84fae9ecc4870aeaabcefc636b69997552842e node-v22.23.0.pkg +61fd42cd1c3ff04a849f5ad5d08c58b111831944b5b94bc90fc623eab41418a2 node-v22.23.0.tar.gz +3acfae100c7b855a4c76520ee0f95cadcace3f4254f16b7d4887f178fc95d4a0 node-v22.23.0.tar.xz +abe829ba4e4fbabdcf3117ac013ecbb61469c2ccebebb87f84b41c7cdd8dfaf9 win-arm64/node.exe +e56e62f4a7ae6643a40db01f09072e8a93ccbe73be8abff927b793344691d6b7 win-arm64/node.lib +35a4655f6475f6387e13938439f925cb8ab33cf74721f88b1d77f5c855285c95 win-arm64/node_pdb.7z +d81c12c2a42291a4f8317313f8e8d19ba9cd9a9fd722d0aba3e13e64d1fcdedc win-arm64/node_pdb.zip +17347995af08dadcc73a1a154f0942559fbc3f37b9ba57d4576b4d2bcb2834a2 win-x64/node.exe +ac15f1e9d7c8279353723a77f6319967f1a41c06026521094a8234c2e6fbe052 win-x64/node.lib +901e9eef6f41c2b2a4a17670edc7854f7434bbb3120815bb8c146e244c2527e4 win-x64/node_pdb.7z +8b4d97c4454f37dc2a4dbe5821f428fc45ef066fb076ce6f395cc45c76aab692 win-x64/node_pdb.zip +8b4369dd36679fcaf7146d6627d1ca1c1ea04bf933f91f9c61630d158df82bc0 win-x86/node.exe +66949ba371a159f5e3626f6ce960f85ab6bcdd237eafcdfbc11d1377a2767652 win-x86/node.lib +a52afc61556fee95d22f0a401a761714d585f5596b7cf92d175a3f238b08bdba win-x86/node_pdb.7z +8df46485e8d327e66eea65538845bdf31350ed76d921c6512ec6fa044a814a7e win-x86/node_pdb.zip + +-----BEGIN PGP SIGNATURE----- + +iHUEARYIAB0WIQRb6KP2yKXAHRBsCtggsaOQsWjTVgUCajN0uQAKCRAgsaOQsWjT +VrCOAQCGN/ZUCGhmojChsyAmHwY6dkE0C6v+pkT+R2Z0gi6M4AD9HGnS7wyeo2qY ++2RqcJ1iGGuYD7/DPIY1emFpLja9hws= +=nIm4 +-----END PGP SIGNATURE----- +```