Node.js Security Fixes: Mitigate Remote Attacks and Crashes

The Node.js project has released a series of security updates over the past week to address several critical vulnerabilities. The updates, which cover versions 20, 22, 24, and 25 of the popular JavaScript runtime, are focused on mitigating potential remote attacks and crashes.

The most severe issues addressed include:

- (CVE-2026-21637) Unsafe `SNICallback` handling that could lead to remote code execution. This has been fixed by wrapping the `SNICallback` invocation in a `try`/`catch` block. Impact level: High
- (CVE-2026-21710) Use of a null prototype for `headersDistinct` and `trailersDistinct` objects, which could result in denial-of-service attacks. This has been addressed by using a null prototype. Impact level: High
- (CVE-2026-21717) Array index hash collision vulnerability that could cause crashes. The fix involves testing for array index hash collisions. Impact level: High
- (CVE-2026-21713) Timing attack vulnerability in the Web Cryptography HMAC and KMAC implementations. This has been resolved by using a timing-safe comparison. Impact level: Medium

These security updates are considered critical and should be applied as soon as possible by all Node.js users. There are no known breaking changes, and the migration effort is low, as the updates can be applied by simply upgrading to the patched versions.

Key highlights:
- Multiple security vulnerabilities fixed across Node.js versions 20, 22, 24, and 25
- Issues include remote code execution, denial-of-service, and timing attack vulnerabilities
- All fixes have a high or medium impact level and should be addressed promptly
- No breaking changes, and the migration effort is low