Create a new pull request by comparing changes across two branches#1050
Merged
GulajavaMinistudio merged 25 commits intojavascript-indonesias:masterfrom Jan 14, 2026
Merged
Create a new pull request by comparing changes across two branches#1050GulajavaMinistudio merged 25 commits intojavascript-indonesias:masterfrom
GulajavaMinistudio merged 25 commits intojavascript-indonesias:masterfrom
Conversation
PR-URL: #61135 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]>
PR-URL: #61321 Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: #61315 Reviewed-By: Matthew Aitken <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
PR-URL: #61315 Reviewed-By: Matthew Aitken <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
PR-URL: #61325 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61329 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #60523 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Steven R Loomis <[email protected]>
PR-URL: #61294 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61331 Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61340 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: #61341 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
This is a security release. Notable changes: lib: * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802 * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#799 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796 PR-URL: nodejs-private/node-private#804
This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler * (CVE-2025-55132) disable futimes when permission model is enabled lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle tls: * (CVE-2026-21637) route callback exceptions through error handlers PR-URL: nodejs-private/node-private#801
This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <nodejs-private/node-private#797> * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <nodejs-private/node-private#748> lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <nodejs-private/node-private#760> src: * (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <nodejs-private/node-private#773> src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <nodejs-private/node-private#759> tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <nodejs-private/node-private#796> PR-URL: nodejs-private/node-private#800
This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750 permission: * (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784 * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790 PR-URL: nodejs-private/node-private#793
Refs: https://hackerone.com/reports/3390084 PR-URL: nodejs-private/node-private#748 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> CVE-ID: CVE-2025-55132
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:
```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```
PR-URL: nodejs-private/node-private#750
Fixes: #44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
CVE-ID: CVE-2025-59465
Refs: https://hackerone.com/reports/3417819 Signed-off-by: RafaelGSS <[email protected]> PR-URL: nodejs-private/node-private#760 Reviewed-By: Matteo Collina <[email protected]> CVE-ID: CVE-2025-55130
When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. The implementation adds IsStackOverflowError() helper to detect stack overflow RangeErrors and re-throws them in TryCatchScope destructor instead of calling FatalException. This fixes the issue where async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. Fixes: #37989 Ref: https://hackerone.com/reports/3456295 PR-URL: nodejs-private/node-private#773 Refs: https://hackerone.com/reports/3456295 Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> CVE-ID: CVE-2025-59466
Refs: https://hackerone.com/reports/3465156 PR-URL: nodejs-private/node-private#784 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> CVE-ID: CVE-2026-21636
Wrap pskCallback and ALPNCallback invocations in try-catch blocks to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This prevents remote attackers from crashing TLS servers or causing resource exhaustion. Fixes: https://hackerone.com/reports/3473882 PR-URL: nodejs-private/node-private#782 PR-URL: nodejs-private/node-private#790 CVE-ID: CVE-2026-21637
This removes the zero-fill toggle mechanism that allowed JavaScript to control ArrayBuffer initialization via shared memory. Instead, unsafe buffer creation now uses a dedicated C++ API. Refs: https://hackerone.com/reports/3405778 Co-Authored-By: Rafael Gonzaga <[email protected]> Signed-off-by: RafaelGSS <[email protected]> PR-URL: nodejs-private/node-private#759 Reviewed-By: Matteo Collina <[email protected]> CVE-ID: CVE-2025-55131
PR-URL: #61307 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Stephen Belanger <[email protected]> Reviewed-By: Gerhard Stöbich <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: #61345 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
PR-URL: #61348 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
GulajavaMinistudio
merged commit a549cc0
into
javascript-indonesias:master
26 of 27 checks passed
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1050 +/- ##
=======================================
Coverage 88.53% 88.53%
=======================================
Files 704 704
Lines 208739 208776 +37
Branches 40277 40306 +29
=======================================
+ Hits 184804 184844 +40
+ Misses 15941 15923 -18
- Partials 7994 8009 +15
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.