diff --git a/apps/site/pages/en/blog/release/v24.17.0.md b/apps/site/pages/en/blog/release/v24.17.0.md new file mode 100644 index 0000000000000..96eedd08f6ebf --- /dev/null +++ b/apps/site/pages/en/blog/release/v24.17.0.md @@ -0,0 +1,110 @@ +--- +date: '2026-06-18T04:38:38.484Z' +category: release +title: Node.js 24.17.0 (LTS) +layout: blog-post +author: Antoine du Hamel +--- + +## 2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95 + +This is a security release. + +### Notable Changes + +- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High +- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High +- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium +- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium +- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium +- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium +- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium +- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium +- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low +- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low +- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low + +### Commits + +- \[[`9e4dfc7bba`](https://github.com/nodejs/node/commit/9e4dfc7bba)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) +- \[[`cb2aed980c`](https://github.com/nodejs/node/commit/cb2aed980c)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) +- \[[`a8a0d12875`](https://github.com/nodejs/node/commit/a8a0d12875)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#62891](https://github.com/nodejs/node/pull/62891) +- \[[`66e6203c1c`](https://github.com/nodejs/node/commit/66e6203c1c)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#62891](https://github.com/nodejs/node/pull/62891) +- \[[`dd627ced27`](https://github.com/nodejs/node/commit/dd627ced27)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820) +- \[[`684bae568f`](https://github.com/nodejs/node/commit/684bae568f)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820) +- \[[`3a631e7f83`](https://github.com/nodejs/node/commit/3a631e7f83)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#62656](https://github.com/nodejs/node/pull/62656) +- \[[`cf44df3996`](https://github.com/nodejs/node/commit/cf44df3996)] - **deps**: update undici to 7.28.0 (Node.js GitHub Bot) [#63703](https://github.com/nodejs/node/pull/63703) +- \[[`138c70294b`](https://github.com/nodejs/node/commit/138c70294b)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) +- \[[`be7e719c3f`](https://github.com/nodejs/node/commit/be7e719c3f)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) +- \[[`cc7c11b4d1`](https://github.com/nodejs/node/commit/cc7c11b4d1)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) +- \[[`9224427b92`](https://github.com/nodejs/node/commit/9224427b92)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) +- \[[`cf85d54839`](https://github.com/nodejs/node/commit/cf85d54839)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) +- \[[`a1bbc24f96`](https://github.com/nodejs/node/commit/a1bbc24f96)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) +- \[[`e3723ff2d6`](https://github.com/nodejs/node/commit/e3723ff2d6)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) +- \[[`a77af4867b`](https://github.com/nodejs/node/commit/a77af4867b)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) +- \[[`31beb4f707`](https://github.com/nodejs/node/commit/31beb4f707)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) +- \[[`8e75c73f91`](https://github.com/nodejs/node/commit/8e75c73f91)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) + +Windows 64-bit Installer: https://nodejs.org/dist/v24.17.0/node-v24.17.0-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v24.17.0/node-v24.17.0-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v24.17.0/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v24.17.0/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v24.17.0/node-v24.17.0.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v24.17.0/node-v24.17.0-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v24.17.0/node-v24.17.0.tar.gz \ +Other release files: https://nodejs.org/dist/v24.17.0/ \ +Documentation: https://nodejs.org/docs/v24.17.0/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +31e9fc249c74a3a6dfeca4758229f003620459b42c3749f7c423f2999d09a727 node-v24.17.0-aix-ppc64.tar.gz +adee7826d2840efd66cec5e79c9b4e151f4815ac0e24f92cf334bc28d7f1f83c node-v24.17.0-arm64.msi +4fc3266a3702eebc39cc37661cf4eeceeade307e242ab64e4d7ce7949197e11f node-v24.17.0-darwin-arm64.tar.gz +cf7e9152d7bd86c140f6eccf3577abfbaf8960be1ca49d9d900e8484984dcb9a node-v24.17.0-darwin-arm64.tar.xz +80da552fe037290cb130e9dea590f5eeeb7aa450636f0c89ab41415511c1ec27 node-v24.17.0-darwin-x64.tar.gz +fe50e386f6a5e0b29ce44b989e543da9fb9a80aed0b91a2f0cb19c55106921fc node-v24.17.0-darwin-x64.tar.xz +ac60c4ba92204658efaac112efea5d3597348b011be679af0eec324d8c08915e node-v24.17.0-headers.tar.gz +aab64d32cd1690e4027326e746877bdac62f0a8458215241638477cbfe0a4192 node-v24.17.0-headers.tar.xz +faa0d59ba7fe7045c950ed09b190578fb8eee73e4358686d38fcc99ca58c1480 node-v24.17.0-linux-arm64.tar.gz +67324b9e515e7d13da72571a5dd522bb23145a820f7dde15497897e466759ab3 node-v24.17.0-linux-arm64.tar.xz +804ed4a1a0ef28d592408b84ac2a85e858ab9124dad933e12b4323609411b809 node-v24.17.0-linux-ppc64le.tar.gz +7657dfb803132a05cfc83353f43f603cba790e1d2366caeb36083aa8f351124b node-v24.17.0-linux-ppc64le.tar.xz +a659e9c26fcd648f3359dbfd292f078434168040f2fb1acf3c9c1bcd3fc37b2b node-v24.17.0-linux-s390x.tar.gz +a8e6f79fac2e17e5a9a9d479bad3b6f19921049bbb5888fa238347427502f23c node-v24.17.0-linux-s390x.tar.xz +e0472427aa791ad80bdc426ff7cc73cdd28ed0f616d1ff9689a23a7f47f1265f node-v24.17.0-linux-x64.tar.gz +ab343a1b747c7cbf3630dfd7dbf818c5423fab2eb4f5ad1afc896f6bd121a917 node-v24.17.0-linux-x64.tar.xz +0ef6a68334882bb74f5afd2d370cf2cdabc3ef823c8fdd649d9d779478c09607 node-v24.17.0-win-arm64.7z +4957712f67fce55779cc794d9b4df9e0e802a18c841ad5a4e42f17be490e634d node-v24.17.0-win-arm64.zip +91382ab13fea6cfdd475fc0f5b74727c979f609a94905ae338f8b9f1cce32457 node-v24.17.0-win-x64.7z +f2aa33b35b75aca5f3f7b85675a6f6423201053e9381911e64961f3bda2528ab node-v24.17.0-win-x64.zip +ae5d9e9f6c85b8d35717f499ba907259ec80672c289858bae19074355906a240 node-v24.17.0-x64.msi +6d795ec7986972ac377bcf017eb2a4f970962f36e1584bfebe79326a194f365f node-v24.17.0.pkg +66a10e05fa7875ff1d7d669de405ea6ce8725f2352bd07550f520dea2f880825 node-v24.17.0.tar.gz +a7ab562ed2369a29c68b72fa00e3103bcdfe37063dff799c6acc8e404e275fcd node-v24.17.0.tar.xz +44999f9ec6486d01202d8961f343eac8c9f2847b234a8637c3fd0f1e2bb3288a win-arm64/node.exe +d32c3ff35f34b9593e5fcddc23ca779f4b40abfb9aa5a031d620f1ecb44ca935 win-arm64/node.lib +60c69df69e22db238ab670efb7ad57ab6da92adcea33c6eea152daf3c2182ad6 win-arm64/node_pdb.7z +93262aebc5c28f3f2218cad37a7635b9fb95ea89cb068c124b7eac9446682029 win-arm64/node_pdb.zip +c6335d08331c23d68b9f2b18adb102002d76ef150b47248e954c507e0d033664 win-x64/node.exe +4ab42af597bc4f0957e9e2dcd5db18bdf223406a0c8e0b6be0f28e57977b808b win-x64/node.lib +0e2a2937823b7fbca4d4ed344ed13d6c8a519d06460f77966fce59e1d146826b win-x64/node_pdb.7z +bd231782ef5e062395d6d2a259c3aaee994db694df9bdcd4beeb9d6bac9e69ec win-x64/node_pdb.zip + +-----BEGIN PGP SIGNATURE----- + +iHUEARYIAB0WIQRb6KP2yKXAHRBsCtggsaOQsWjTVgUCajN1TwAKCRAgsaOQsWjT +VsDcAQClE4tL8dBeOyi941MK78i7o4iOFfoYYdyIayxQww7nTgD/Zmdx1h1gjwo/ +J5fumRrmsNRDj6JYjUfEzKSSJjFX7Q8= +=nnSg +-----END PGP SIGNATURE----- +```