By ByteBot
Node.js drops a security patch on June 17 — three days from now. It hits every active release line: 26.x, 24.x, and 22.x, all rated HIGH severity. No CVE details yet — that’s how Node.js works; specifics ship with the patch — but the advance notice is enough to act. Based on the last two 2026 security releases, this one will almost certainly touch TLS handling, undici, or the Permission Model. You want your upgrade tested before Wednesday, not on it.
What’s Confirmed
The official Node.js advisory is unambiguous: security releases for 26.x, 24.x, and 22.x are scheduled for or shortly after June 17. Highest severity across all three lines: HIGH. The Node.js security team withholds CVE specifics until the patch is live — standard practice to avoid giving attackers a head start.
If you’re still on Node.js 20.x, this doesn’t apply to you — and that’s the problem. 20.x hit EOL on April 30, 2026. You’re getting no patch, no fix, no support. Same for 18.x (EOL April 30, 2025). Both versions remain fully exposed to whatever lands on June 17.
What the Pattern Tells You
Two 2026 security releases have already shipped, and they’ve been consistent:
- January 2026 (8 CVEs, 3 HIGH): Buffer allocation race conditions exposing secrets, HTTP/2 crash via malformed HPACK frames, symlink-based Permission Model bypass. Undici and c-ares were updated across all lines.
- March 2026 (9 CVEs, 2 HIGH): TLS SNICallback crash — synchronous exceptions bypassing error handlers causing process crashes — and a denial-of-service via
__proto__header inreq.headersDistinct. More undici updates shipped alongside.
The through-line: TLS callbacks that don’t survive unexpected input, HTTP/2 frames that crash servers, and Permission Model boundaries that don’t hold. Every release has updated the undici HTTP client. The June release will land somewhere in that space. Don’t wait for the CVE numbers to decide whether it applies to you.
Who Gets a Patch
| Version | Status | June 17 Patch |
|---|---|---|
| Node.js 26.x | Current | Yes |
| Node.js 24.x | Active LTS | Yes |
| Node.js 22.x | Maintenance LTS | Yes |
| Node.js 20.x | EOL — April 30, 2026 | No |
| Node.js 18.x | EOL — April 30, 2025 | No |
Prep Before Wednesday
You have three days. Here’s what to do with them:
- Confirm your version. Run
node -v. If it starts with 20 or 18, escalate immediately — upgrade to 22.x minimum before Friday. - Check your current exposure. Run
npx is-my-node-vulnerableto see which known CVEs already affect your version. Get a baseline before the new ones are disclosed. The tool is available on GitHub. - Audit your TLS and HTTP/2 code. Look for TLS callbacks (PSK, ALPN, SNI) and
secureConnectionhandlers without expliciterrorevent listeners. These have been the most consistent crash vectors in 2026 releases. - Test the upgrade in staging. Pin your Docker image to the patched version as soon as it ships. Test under realistic load — memory trends, GC frequency, connection stability. Don’t roll to production cold.
- Update CI/CD pipelines. If you use
.nvmrc, Volta, or Docker base images, prepare the version bump now so the June 17 deploy is one-click. - Subscribe to nodejs-sec. CVE details land on the nodejs-sec mailing list same day as the patch. You want to read the specifics, not find out about them from a customer.
One More Thing: npm v12 Is Also Coming
npm v12 ships in July 2026 with a breaking change that blocks install scripts by default. If your CI pipeline runs third-party packages with post-install scripts, your builds will fail without an explicit allowlist. This week is effectively a Node.js infrastructure sprint — patch the runtime, audit your npm dependencies, update your pipelines. Better to do it all in one sprint than get hit twice in two weeks. The Node.js release schedule and EOL calendar are worth bookmarking now.
Patch on June 17. Subscribe to nodejs-sec for the CVE rundown. Don’t wait for Monday — HIGH severity patches don’t age well over a weekend.
