nodejs · aduh95 · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -0,0 +1,109 @@
+---
+date: '2026-06-18T04:38:39.606Z'
+category: release
+title: Node.js 26.3.1 (Current)
+layout: blog-post
+author: Antoine du Hamel
+---
+
+## 2026-06-18, Version 26.3.1 (Current), @aduh95
+
+This is a security release.
+
+### Notable Changes
+
+- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
+- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
+- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
+- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
+- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
+- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
+- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
+- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
+- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
+- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
+- (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low
+
+### Commits
+
+- \[[`98fbc89211`](https://github.com/nodejs/node/commit/98fbc89211)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878)
+- \[[`110840f2c7`](https://github.com/nodejs/node/commit/110840f2c7)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890)
+- \[[`8d36d522b2`](https://github.com/nodejs/node/commit/8d36d522b2)] - **deps**: update undici to 8.5.0 (Node.js GitHub Bot) [#63903](https://github.com/nodejs/node/pull/63903)
+- \[[`2e6d03993a`](https://github.com/nodejs/node/commit/2e6d03993a)] - **deps**: update undici to 8.4.0 (Node.js GitHub Bot) [#63779](https://github.com/nodejs/node/pull/63779)
+- \[[`5a17d5b07a`](https://github.com/nodejs/node/commit/5a17d5b07a)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820)
+- \[[`362725d4e5`](https://github.com/nodejs/node/commit/362725d4e5)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820)
+- \[[`bd1214ab01`](https://github.com/nodejs/node/commit/bd1214ab01)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868)
+- \[[`bc0b53813e`](https://github.com/nodejs/node/commit/bc0b53813e)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846)
+- \[[`87d847bc70`](https://github.com/nodejs/node/commit/87d847bc70)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855)
+- \[[`9308084fcb`](https://github.com/nodejs/node/commit/9308084fcb)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867)
+- \[[`a67dd46891`](https://github.com/nodejs/node/commit/a67dd46891)] - **(CVE-2026-48936)** **permission**: guard pipe open and chmod with net scope (RafaelGSS) [nodejs-private/node-private#885](https://github.com/nodejs-private/node-private/pull/885)
+- \[[`7057c3f16c`](https://github.com/nodejs/node/commit/7057c3f16c)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873)
+- \[[`6bc17a6b51`](https://github.com/nodejs/node/commit/6bc17a6b51)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870)
+- \[[`c8668beff8`](https://github.com/nodejs/node/commit/c8668beff8)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
+- \[[`d1be630415`](https://github.com/nodejs/node/commit/d1be630415)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
+- \[[`a14c158bb3`](https://github.com/nodejs/node/commit/a14c158bb3)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857)
+- \[[`ebda73470d`](https://github.com/nodejs/node/commit/ebda73470d)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869)
+
+Windows 64-bit Installer: https://nodejs.org/dist/v26.3.1/node-v26.3.1-x64.msi \
+Windows ARM 64-bit Installer: https://nodejs.org/dist/v26.3.1/node-v26.3.1-arm64.msi \
+Windows 64-bit Binary: https://nodejs.org/dist/v26.3.1/win-x64/node.exe \
+Windows ARM 64-bit Binary: https://nodejs.org/dist/v26.3.1/win-arm64/node.exe \
+macOS 64-bit Installer: https://nodejs.org/dist/v26.3.1/node-v26.3.1.pkg \
+macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-darwin-arm64.tar.gz \
+macOS Intel 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-darwin-x64.tar.gz \
+Linux 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-x64.tar.xz \
+Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-ppc64le.tar.xz \
+Linux s390x 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-s390x.tar.xz \
+AIX 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-aix-ppc64.tar.gz \
+ARMv8 64-bit Binary: https://nodejs.org/dist/v26.3.1/node-v26.3.1-linux-arm64.tar.xz \
+Source Code: https://nodejs.org/dist/v26.3.1/node-v26.3.1.tar.gz \
+Other release files: https://nodejs.org/dist/v26.3.1/ \
+Documentation: https://nodejs.org/docs/v26.3.1/api/
+
+### SHASUMS
+
+```
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+8c0ef7465b17c31d6bfaea84d5b8d62944b543dcd2df42933aa0bff4771ebc5c  node-v26.3.1-aix-ppc64.tar.gz
+bd0c50afcc7140b64b12e24f73f0681d68f84205575893561e6344dc09b71fc7  node-v26.3.1-arm64.msi
+3f624ab0d774553c0d28b968e141d8c676a35a2811fb0b7b356ba9cbdce15f74  node-v26.3.1-darwin-arm64.tar.gz
+49aca22a8c2992c16688baa512a7b00c41a4608e9675fcaa81534767bf1116ce  node-v26.3.1-darwin-arm64.tar.xz
+3ec9e5a28c641c088f3d04ad38721bfdedb2f8aa8c031979fa93df08b5a92e58  node-v26.3.1-darwin-x64.tar.gz
+dac58e340c721332d331a44c9ee2e126b26632c42d3028eb2ceb5c3f218798fa  node-v26.3.1-darwin-x64.tar.xz
+a0fbaa7136174fa7533f6178c2331ffbaad5f25e9fd2e610fc3961b57fd5acae  node-v26.3.1-headers.tar.gz
+e84075cd1296f089ad17bc87d34cea964bad7f1018378656af16d494adf91d1a  node-v26.3.1-headers.tar.xz
+2f0829b201e9db20996ae15bce62138df1e3d317775b005778b05cf7b19714f1  node-v26.3.1-linux-arm64.tar.gz
+c021380e64d1314d1218ab1f31e0f5b0f28f1f54ac779ef72a16c2bda0ca5c30  node-v26.3.1-linux-arm64.tar.xz
+276d72c00b4cfedf3bc45bde6d1bd0a18e8c846ed150a5381c528112fa0ccabd  node-v26.3.1-linux-ppc64le.tar.gz
+ec83deb41569e3896e8c4af4986c76dc0bf4e0eb909643b364d38e8a9f9f9091  node-v26.3.1-linux-ppc64le.tar.xz
+740d35affe20683d244e494e0cc9710a91c1c6039ffdd0ed9f7d110c998bd23c  node-v26.3.1-linux-s390x.tar.gz
+e8aece0730dc3dc808d66f8a8b8a6f87354ac941dfaa3a59a27022b2435abbcd  node-v26.3.1-linux-s390x.tar.xz
+e892cd615e637edebcf22f9653d80fba63167ad6754d20881fd52cc37be81441  node-v26.3.1-linux-x64.tar.gz
+55647180e4ae58ffeaa3294e89aa4abda7c371dfbd64b44cbdb022980177aae0  node-v26.3.1-linux-x64.tar.xz
+40e8d2ad0a4f543c5e283ca0074ce8ea327062d448bf84f3cdfda27e736fbde8  node-v26.3.1-win-arm64.7z
+021eb7de1d5257b24765f292dfcb469ff1528c29d88f48c875befb28114fb0fb  node-v26.3.1-win-arm64.zip
+35c2ce21f7b0ea776b139cecc052641653abc31fb438cb17d096af7a9277d706  node-v26.3.1-win-x64.7z
+45001b289ebffe7b22260898f3750059183d8246042b88e8ffa4337e65e6763e  node-v26.3.1-win-x64.zip
+c07b05c3b9e22e1a408e630285f15201b86eaa32f5d9ca8cf35132c9caac0cf0  node-v26.3.1-x64.msi
+942790eea681d9fa92b7c67343a2fd862b860546ad62f3a8a12f8ca72b784baf  node-v26.3.1.pkg
+d38ec1c76d2651d2c597cffa46c8379b29e42baa5b82b7997981e8301b4b3387  node-v26.3.1.tar.gz
+979b9b8308a8d2d4a27c662ed50448c85f970c0fd4f5ce8b98e8da78c441f2bc  node-v26.3.1.tar.xz
+b8ad851e5ac8cbb784633ec905bd86a282697cc73eb1836c503f02968c7d2c41  win-arm64/node.exe
+bd474f1ca8c44b2ab10e908c14447c5d91e1bac3f3a4d3141c78b6dbb5d1a253  win-arm64/node.lib
+4ae86b1181dea3cf5a39c17600eec672df3b4d728643be91e3f6b3f8b9da6138  win-arm64/node_pdb.7z
+8a256841ab4992714d817f8f15722f1db25520555823b4a9a6a6c75f86d44f17  win-arm64/node_pdb.zip
+2e5b4362a7ea3478cb408a07189c19c16e487f188ac96db2e9e0f45ad8e21837  win-x64/node.exe
+2f71186cc7649a7406b1616566700e397e9dd52bd7267440d78d78a1725bd312  win-x64/node.lib
+e56e13c1a622751a9024b3d6e2c8806e992cd7f502bc3b22f47d7a471cdaee20  win-x64/node_pdb.7z
+9dd4250f30eaf002777b719af182917c16ebb174b72a15575b5e81a93c1c989b  win-x64/node_pdb.zip
+
+-----BEGIN PGP SIGNATURE-----
+
+iHUEARYIAB0WIQRb6KP2yKXAHRBsCtggsaOQsWjTVgUCajN11AAKCRAgsaOQsWjT
+VgK3AQCiaZF1iVzuLrCodtoLumgZJqaNBJFuc+DheHSVx91waQEAoowJe+hn+Kx1
+QRMAE1Eeb+Y8eH6UYaDP6ACMbGUiGwM=
+=UJVW
+-----END PGP SIGNATURE-----
+```