Node.js v18.16.1 (LTS) Security Release

Node.js has released version v18.16.1 (LTS) which includes several security fixes. The release addresses five CVEs, with one rated as "High" and the others as "Medium". The fixes include a bypass of the experimental policy mechanism, privilege escalation via malicious registry key manipulation, process interruption due to invalid public key information, HTTP request smuggling via empty headers, and DiffieHellman not generating keys after setting a private key.

In addition to the CVE fixes, the release includes updates to OpenSSL and c-ares. OpenSSL has released several security advisories in March, April, and May. The Node.js release includes updates to OpenSSL sources to quictls/openssl-3.0.9-quic1 and updates to archs files for OpenSSL. The release also includes updates to c-ares to version 1.19.1, which includes fixes for four vulnerabilities.

Developers using Node.js are encouraged to update to v18.16.1 as soon as possible to ensure their applications are not vulnerable to the security issues addressed in this release.

Here are the notable changes in Node.js v18.16.1:

• Fixes for five CVEs, including a "High" severity bypass of the experimental policy mechanism.
• Updates to OpenSSL sources to quictls/openssl-3.0.9-quic1 and updates to archs files for OpenSSL.
• Updates to c-ares to version 1.19.1, which includes fixes for four vulnerabilities.

Developers can update to the latest version of Node.js by running the following command:

npm install -g n
n latest

It is important for developers to keep their dependencies up to date to ensure their applications remain secure. Node.js provides a reliable and secure platform for building server-side applications, and updates like this ensure that it remains a top choice for developers.