Friday October 13 2023 Security Releases

By Rafael Gonzaga, 12 oct. 2023

Summary

The Node.js project will release new versions of the 18.x and 20.x releases lines on or shortly after, Friday October 13 2023 in order to address:

2 high severity issues.
1 medium severity issue.
1 low severity issue.
undici October security updates
nghttp2 October security updates

Impact

All the active release lines are affected by undici and nghttp2 security patches, which are rated as high severity issues.

In addition, the 20.x release line of Node.js is vulnerable to 2 high severity issues, 1 medium severity issue, and 1 low severity issue.

In addition, the 18.x release line of Node.js is vulnerable to 1 medium severity issue, and 1 low severity issue.

Release timing

Releases will be available on, or shortly after, Friday October 13 2023.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/main/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.