Node.js - v20.8.1
Security
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-44487:
nghttp2
Security Release (High) - CVE-2023-45143:
undici
Security Release (High) - CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
- CVE-2023-39331: Permission model improperly protects against path traversal (High)
- CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
- CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
Commits
- [
c86883e844
] - deps: update nghttp2 to 1.57.0 (James M Snell) #50121 - [
2860631359
] - deps: update undici to v5.26.3 (Matteo Collina) #50153 - [
cd37838bf8
] - lib: let deps requirenode
prefixed modules (Matthew Aitken) #50047 - [
f5c90b2951
] - module: fix code injection through export names (Tobias Nießen) nodejs-private/node-private#461 - [
fa5dae1944
] - permission: fix Uint8Array path traversal (Tobias Nießen) nodejs-private/node-private#456 - [
cd35275111
] - permission: improve path traversal protection (Tobias Nießen) nodejs-private/node-private#456 - [
a4cb7fc7c0
] - policy: use tamper-proof integrity check function (Tobias Nießen) nodejs-private/node-private#462
Details
date
Oct. 13, 2023, 9:09 p.m.
name
2023-10-13, Version 20.8.1 (Current), @RafaelGSS
type
Patch
official page
👇
Register or login to:
- 🔍View and search all Node.js releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!