[Security] Node.js Security Releases: Updates for versions 20, 22, 24, and 25 address 3 High Severity vulnerabilities

The Node.js project just released security updates (January 13, 2026) to address several vulnerabilities across all active release lines. If you are running Node in production, you should look into updating to the latest patches as soon as possible.

New Versions to Upgrade To:

v20.20.0 (LTS)
v22.22.0 (LTS)
v24.13.0 * v25.3.0 (Current)

High Severity Vulnerabilities Addressed:

CVE-2025-55131 (Buffer Memory Leak): A race condition in Buffer.alloc could expose uninitialized memory. This is particularly dangerous as it could leak in-process secrets like tokens or passwords if your application uses the vm module with timeouts.
CVE-2025-55130 (Permission Model Bypass): Attackers could use crafted symlinks to bypass the --allow-fs-read and --allow-fs-write restrictions, allowing them to read/write files outside of permitted directories.
CVE-2025-59465 (HTTP/2 DoS): Malformed HTTP/2 HEADERS frames can trigger an unhandled error that crashes the entire Node.js process.

Node.js — Tuesday, January 13, 2026 Security Releases - Featured Image

TLDR

The Node.js Project has released new versions of the 25.x, 24.x, 22.x, and 20.x release lines to address three high severity issues, one low severity issue, and one medium severity issue. These updates include dependency updates and fixes for vulnerabilities affecting buffer allocation, permission models, HTTP/2 server stability, and TLS error handling. Users are advised to upgrade to the latest versions to mitigate potential security risks.