Node.js - v18.17.1
Security
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
- OpenSSL security advisory 14th July.
- OpenSSL security advisory 19th July.
- OpenSSL security advisory 31st July
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
fe3abdf82e
] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #49036 - [
2c5a522d9c
] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #49036 - [
15bced0bde
] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417 - [
d4570fae35
] - policy: disable process.binding() when enabled (Tobias NieΓen) nodejs-private/node-private#460
Security
Details
date
Aug. 9, 2023, 5:58 p.m.
name
2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @RafaelGSS
type
Patch
official page
π
Register or login to:
- πView and search all Node.js releases.
- π οΈCreate and share lists to track your tools.
- π¨Setup notifications for major, security, feature or patch updates.
- πMuch more coming soon!