diff --git a/apps/site/pages/en/blog/release/v26.3.1.md b/apps/site/pages/en/blog/release/v26.3.1.md new file mode 100644 index 0000000000000..7ac7ed74230b1 --- /dev/null +++ b/apps/site/pages/en/blog/release/v26.3.1.md @@ -0,0 +1,109 @@ +--- +date: '2026-06-18T04:38:39.606Z' +category: release +title: Node.js 26.3.1 (Current) +layout: blog-post +author: Antoine du Hamel +--- + +## 2026-06-18, Version 26.3.1 (Current), @aduh95 + +This is a security release. + +### Notable Changes + +- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High +- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High +- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium +- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium +- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium +- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium +- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium +- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low +- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low +- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low +- (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low + +### Commits + +- \[[`98fbc89211`](https://github.com/nodejs/node/commit/98fbc89211)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) +- \[[`110840f2c7`](https://github.com/nodejs/node/commit/110840f2c7)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) +- \[[`8d36d522b2`](https://github.com/nodejs/node/commit/8d36d522b2)] - **deps**: update undici to 8.5.0 (Node.js GitHub Bot) [#63903](https://github.com/nodejs/node/pull/63903) +- \[[`2e6d03993a`](https://github.com/nodejs/node/commit/2e6d03993a)] - **deps**: update undici to 8.4.0 (Node.js GitHub Bot) [#63779](https://github.com/nodejs/node/pull/63779) +- \[[`5a17d5b07a`](https://github.com/nodejs/node/commit/5a17d5b07a)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820) +- \[[`362725d4e5`](https://github.com/nodejs/node/commit/362725d4e5)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820) +- \[[`bd1214ab01`](https://github.com/nodejs/node/commit/bd1214ab01)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) +- \[[`bc0b53813e`](https://github.com/nodejs/node/commit/bc0b53813e)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) +- \[[`87d847bc70`](https://github.com/nodejs/node/commit/87d847bc70)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) +- \[[`9308084fcb`](https://github.com/nodejs/node/commit/9308084fcb)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) +- \[[`a67dd46891`](https://github.com/nodejs/node/commit/a67dd46891)] - **(CVE-2026-48936)** **permission**: guard pipe open and chmod with net scope (RafaelGSS) [nodejs-private/node-private#885](https://github.com/nodejs-private/node-private/pull/885) +- \[[`7057c3f16c`](https://github.com/nodejs/node/commit/7057c3f16c)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) +- \[[`6bc17a6b51`](https://github.com/nodejs/node/commit/6bc17a6b51)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) +- \[[`c8668beff8`](https://github.com/nodejs/node/commit/c8668beff8)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) +- \[[`d1be630415`](https://github.com/nodejs/node/commit/d1be630415)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) +- \[[`a14c158bb3`](https://github.com/nodejs/node/commit/a14c158bb3)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) +- \[[`ebda73470d`](https://github.com/nodejs/node/commit/ebda73470d)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) + +Windows 64-bit Installer: https://nodejs.org/dist/v26.3.1/node-v26.3.1-x64.msi \ +Windows ARM 64-bit Installer: https://nodejs.org/dist/v26.3.1/node-v26.3.1-arm64.msi \ +Windows 64-bit Binary: https://nodejs.org/dist/v26.3.1/win-x64/node.exe \ +Windows ARM 64-bit Binary: https://nodejs.org/dist/v26.3.1/win-arm64/node.exe \ +macOS 64-bit Installer: https://nodejs.org/dist/v26.3.1/node-v26.3.1.pkg \ +macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-darwin-arm64.tar.gz \ +macOS Intel 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-darwin-x64.tar.gz \ +Linux 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-x64.tar.xz \ +Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-ppc64le.tar.xz \ +Linux s390x 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-s390x.tar.xz \ +AIX 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-aix-ppc64.tar.gz \ +ARMv8 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-arm64.tar.xz \ +Source Code: https://nodejs.org/dist/v26.3.1/node-v26.3.1.tar.gz \ +Other release files: https://nodejs.org/dist/v26.3.1/ \ +Documentation: https://nodejs.org/docs/v26.3.1/api/ + +### SHASUMS + +``` +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +8c0ef7465b17c31d6bfaea84d5b8d62944b543dcd2df42933aa0bff4771ebc5c node-v26.3.1-aix-ppc64.tar.gz +bd0c50afcc7140b64b12e24f73f0681d68f84205575893561e6344dc09b71fc7 node-v26.3.1-arm64.msi +3f624ab0d774553c0d28b968e141d8c676a35a2811fb0b7b356ba9cbdce15f74 node-v26.3.1-darwin-arm64.tar.gz +49aca22a8c2992c16688baa512a7b00c41a4608e9675fcaa81534767bf1116ce node-v26.3.1-darwin-arm64.tar.xz +3ec9e5a28c641c088f3d04ad38721bfdedb2f8aa8c031979fa93df08b5a92e58 node-v26.3.1-darwin-x64.tar.gz +dac58e340c721332d331a44c9ee2e126b26632c42d3028eb2ceb5c3f218798fa node-v26.3.1-darwin-x64.tar.xz +a0fbaa7136174fa7533f6178c2331ffbaad5f25e9fd2e610fc3961b57fd5acae node-v26.3.1-headers.tar.gz +e84075cd1296f089ad17bc87d34cea964bad7f1018378656af16d494adf91d1a node-v26.3.1-headers.tar.xz +2f0829b201e9db20996ae15bce62138df1e3d317775b005778b05cf7b19714f1 node-v26.3.1-linux-arm64.tar.gz +c021380e64d1314d1218ab1f31e0f5b0f28f1f54ac779ef72a16c2bda0ca5c30 node-v26.3.1-linux-arm64.tar.xz +276d72c00b4cfedf3bc45bde6d1bd0a18e8c846ed150a5381c528112fa0ccabd node-v26.3.1-linux-ppc64le.tar.gz +ec83deb41569e3896e8c4af4986c76dc0bf4e0eb909643b364d38e8a9f9f9091 node-v26.3.1-linux-ppc64le.tar.xz +740d35affe20683d244e494e0cc9710a91c1c6039ffdd0ed9f7d110c998bd23c node-v26.3.1-linux-s390x.tar.gz +e8aece0730dc3dc808d66f8a8b8a6f87354ac941dfaa3a59a27022b2435abbcd node-v26.3.1-linux-s390x.tar.xz +e892cd615e637edebcf22f9653d80fba63167ad6754d20881fd52cc37be81441 node-v26.3.1-linux-x64.tar.gz +55647180e4ae58ffeaa3294e89aa4abda7c371dfbd64b44cbdb022980177aae0 node-v26.3.1-linux-x64.tar.xz +40e8d2ad0a4f543c5e283ca0074ce8ea327062d448bf84f3cdfda27e736fbde8 node-v26.3.1-win-arm64.7z +021eb7de1d5257b24765f292dfcb469ff1528c29d88f48c875befb28114fb0fb node-v26.3.1-win-arm64.zip +35c2ce21f7b0ea776b139cecc052641653abc31fb438cb17d096af7a9277d706 node-v26.3.1-win-x64.7z +45001b289ebffe7b22260898f3750059183d8246042b88e8ffa4337e65e6763e node-v26.3.1-win-x64.zip +c07b05c3b9e22e1a408e630285f15201b86eaa32f5d9ca8cf35132c9caac0cf0 node-v26.3.1-x64.msi +942790eea681d9fa92b7c67343a2fd862b860546ad62f3a8a12f8ca72b784baf node-v26.3.1.pkg +d38ec1c76d2651d2c597cffa46c8379b29e42baa5b82b7997981e8301b4b3387 node-v26.3.1.tar.gz +979b9b8308a8d2d4a27c662ed50448c85f970c0fd4f5ce8b98e8da78c441f2bc node-v26.3.1.tar.xz +b8ad851e5ac8cbb784633ec905bd86a282697cc73eb1836c503f02968c7d2c41 win-arm64/node.exe +bd474f1ca8c44b2ab10e908c14447c5d91e1bac3f3a4d3141c78b6dbb5d1a253 win-arm64/node.lib +4ae86b1181dea3cf5a39c17600eec672df3b4d728643be91e3f6b3f8b9da6138 win-arm64/node_pdb.7z +8a256841ab4992714d817f8f15722f1db25520555823b4a9a6a6c75f86d44f17 win-arm64/node_pdb.zip +2e5b4362a7ea3478cb408a07189c19c16e487f188ac96db2e9e0f45ad8e21837 win-x64/node.exe +2f71186cc7649a7406b1616566700e397e9dd52bd7267440d78d78a1725bd312 win-x64/node.lib +e56e13c1a622751a9024b3d6e2c8806e992cd7f502bc3b22f47d7a471cdaee20 win-x64/node_pdb.7z +9dd4250f30eaf002777b719af182917c16ebb174b72a15575b5e81a93c1c989b win-x64/node_pdb.zip + +-----BEGIN PGP SIGNATURE----- + +iHUEARYIAB0WIQRb6KP2yKXAHRBsCtggsaOQsWjTVgUCajN11AAKCRAgsaOQsWjT +VgK3AQCiaZF1iVzuLrCodtoLumgZJqaNBJFuc+DheHSVx91waQEAoowJe+hn+Kx1 +QRMAE1Eeb+Y8eH6UYaDP6ACMbGUiGwM= +=UJVW +-----END PGP SIGNATURE----- +```