|
| 1 | +# Update March 2026 |
| 2 | + |
| 3 | +This report summarizes the accomplishments made during March 2026 within the OpenJS Ecosystem and Node.js project, spanning major security releases, critical policy changes, release schedule evolution, and community engagement initiatives. |
| 4 | + |
| 5 | +## Node.js |
| 6 | + |
| 7 | +### March 2026 Security Releases |
| 8 | + |
| 9 | +On **Tuesday, March 24, 2026**, the Node.js project published comprehensive security updates across all active release lines (v20.x, v22.x, v24.x, and v25.x), addressing **9 CVEs** ranging from High to Low severity. This release represents one of the most significant security updates in recent Node.js history, addressing critical vulnerabilities in TLS handling, HTTP processing, Permission Model enforcement, and V8 internals. |
| 10 | + |
| 11 | +**Release versions:** |
| 12 | +- Node.js v20.20.2 |
| 13 | +- Node.js v22.22.2 |
| 14 | +- Node.js v24.14.1 |
| 15 | +- Node.js v25.8.2 |
| 16 | + |
| 17 | +**Dependency updates:** |
| 18 | +- undici (6.24.1, 7.24.4) on 22.x, 24.x, 25.x |
| 19 | + |
| 20 | +Work reference: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases |
| 21 | + |
| 22 | +#### High-Severity Vulnerabilities (2 CVEs) |
| 23 | + |
| 24 | +**CVE-2026-21637: Incomplete fix for TLS SNICallback DoS (High)** |
| 25 | + |
| 26 | +A flaw in Node.js TLS error handling allows attackers to crash servers by sending malformed server names. This represents an incomplete fix of a prior vulnerability where similar issues in other TLS callbacks were already addressed. |
| 27 | + |
| 28 | +**CVE-2026-21710: Denial of Service via `__proto__` header (High)** |
| 29 | + |
| 30 | +A flaw in Node.js HTTP request handling allows attackers to crash servers by sending a specially crafted HTTP header named `__proto__`. When applications access certain header properties, the server crashes with an unhandled error. |
| 31 | + |
| 32 | +#### Medium-Severity Vulnerabilities (5 CVEs) |
| 33 | + |
| 34 | +**CVE-2026-21711: Permission Model bypass for Unix Domain Sockets (Medium)** |
| 35 | + |
| 36 | +A flaw in the Node.js Permission Model allows applications to create local network connections even when network access is restricted. Unix Domain Sockets were not properly covered by the network permission checks. |
| 37 | + |
| 38 | +**CVE-2026-21712: URL processing crash with malformed domain names (Medium)** |
| 39 | + |
| 40 | +A flaw in Node.js URL processing causes crashes when handling malformed internationalized domain names with invalid characters. |
| 41 | + |
| 42 | +**CVE-2026-21713: Timing attack in HMAC verification (Medium)** |
| 43 | + |
| 44 | +A flaw in Node.js HMAC verification allows attackers to potentially guess valid signatures by measuring how long verification takes. The comparison method leaks timing information that could be exploited. |
| 45 | + |
| 46 | +**CVE-2026-21714: Memory leak in HTTP/2 servers (Medium)** |
| 47 | + |
| 48 | +A memory leak occurs in Node.js HTTP/2 servers when clients send malformed flow control messages. The server handles the error correctly but fails to clean up allocated memory. |
| 49 | + |
| 50 | +**CVE-2026-21717: Hash collision attack in V8 (Medium)** |
| 51 | + |
| 52 | +A flaw in V8's string handling allows attackers to cause severe performance degradation by sending specially crafted data that triggers hash collisions. This is particularly easy to exploit with JSON data containing numeric strings. |
| 53 | + |
| 54 | +#### Low-Severity Vulnerabilities (2 CVEs) |
| 55 | + |
| 56 | +**CVE-2026-21715: Permission Model bypass for file path resolution (Low)** |
| 57 | + |
| 58 | +A flaw in the Node.js Permission Model allows applications to check if files exist and resolve file paths even when filesystem read access is restricted. One specific filesystem function was missing permission checks. |
| 59 | + |
| 60 | +**CVE-2026-21716: Incomplete fix for file permission bypass (Low)** |
| 61 | + |
| 62 | +An incomplete fix for a previous vulnerability allows applications to modify file permissions and ownership when using promise-based file operations, even when write access is restricted. The callback-based versions were fixed, but the promise versions were missed. |
| 63 | + |
| 64 | +#### Security Release Impact Analysis |
| 65 | + |
| 66 | +This security release demonstrates several important trends: |
| 67 | + |
| 68 | +1. **Permission Model Maturation**: Three CVEs (CVE-2026-21711, CVE-2026-21715, CVE-2026-21716) relate to Permission Model bypasses, indicating both increased scrutiny of this security feature and the ongoing work to ensure comprehensive enforcement across all Node.js APIs. |
| 69 | + |
| 70 | +2. **Incomplete Fix Pattern**: Two CVEs (CVE-2026-21637, CVE-2026-21716) represent incomplete fixes of prior vulnerabilities, highlighting the importance of comprehensive testing and review of security patches across all API surfaces. |
| 71 | + |
| 72 | +3. **AI-Driven Discovery**: The volume and nature of these reports align with the trend discussed in TSC#1826, where AI-powered fuzzing and scanning tools are discovering edge cases and inconsistencies in error handling and permission enforcement. |
| 73 | + |
| 74 | +4. **Cross-Runtime Coordination**: The V8 HashDoS vulnerability (CVE-2026-21717) required coordination with other V8-based runtimes, demonstrating the importance of ecosystem-wide security collaboration. |
| 75 | + |
| 76 | +### Security Bug Bounty Program Paused |
| 77 | + |
| 78 | +On March 2026, the Node.js project announced the **pause of its security bug bounty program** due to the discontinuation of external funding from the Internet Bug Bounty (IBB) program. |
| 79 | + |
| 80 | +**Background:** |
| 81 | +Since 2016, the Node.js project participated in the Internet Bug Bounty (IBB) program through HackerOne, offering monetary rewards to security researchers who responsibly disclosed vulnerabilities. The program was a meaningful part of the Node.js security ecosystem. |
| 82 | + |
| 83 | +**Reason for Pause:** |
| 84 | +The Internet Bug Bounty (IBB) program, which supported bounty rewards for Node.js through a pooled donation-funded initiative, has been paused. This decision was not made by the Node.js project. As a volunteer-driven open-source project, Node.js does not have an independent budget to sustain a bounty program on its own. |
| 85 | + |
| 86 | +**What This Means:** |
| 87 | +- **Security reporting remains unchanged**: The project still accepts and triages vulnerability reports through HackerOne |
| 88 | +- **No monetary rewards**: Reports will no longer be eligible for bounty payouts |
| 89 | +- **Same commitment to security**: The Node.js Security Team continues to treat security with the highest priority. The disclosure policy, response times, and release process remain the same |
| 90 | + |
| 91 | +**Looking Ahead:** |
| 92 | +The project will re-evaluate resuming the bounty program if dedicated funding becomes available again. Organizations that depend on Node.js and are interested in sponsoring a bug bounty program are encouraged to reach out through the OpenJS Foundation. |
| 93 | + |
| 94 | +**Community Impact:** |
| 95 | +The Node.js team expressed sincere gratitude to every researcher who has reported vulnerabilities through the bounty program over the years, acknowledging that their contributions have made Node.js safer for millions of users. The project hopes researchers will continue to report security issues even without financial incentives, as responsible disclosure is critical to the health of the open-source ecosystem. |
| 96 | + |
| 97 | +Work reference: https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties |
| 98 | + |
| 99 | +### Evolving the Node.js Release Schedule |
| 100 | + |
| 101 | +In March 2026, the Node.js project announced a **major evolution of its release schedule**, representing the most significant change to the release process in 10 years. The new schedule will take effect starting with **Node.js 27 in October 2026**. |
| 102 | + |
| 103 | +#### Why This Change |
| 104 | + |
| 105 | +**Data-Driven Decision:** |
| 106 | +The current release schedule is 10 years old, created during the io.js merger as "an educated guess of what enterprises would need." After a decade of data, the project now has clear evidence of how users actually consume Node.js: |
| 107 | + |
| 108 | +- **Odd-numbered releases see minimal adoption**: Most users wait for Long-Term Support (LTS) versions |
| 109 | +- **The odd/even distinction confuses newcomers**: Many don't understand the difference |
| 110 | +- **Organizations skip odd releases entirely**: Upgrading only to LTS versions is the norm |
| 111 | + |
| 112 | +**Volunteer Sustainability:** |
| 113 | +Node.js is maintained primarily by volunteers. While some contributors receive sponsorship, most work (reviewing PRs, handling security issues, cutting releases, backporting fixes) is done by people in their spare time. |
| 114 | + |
| 115 | +**Critical Challenge:** Managing security releases across four or five active release lines has become difficult to sustain. Each additional line increases backporting complexity. By reducing the number of concurrent release lines, the project can focus on better supporting the releases people actually use. |
| 116 | + |
| 117 | +#### What's Changing (Starting October 2026) |
| 118 | + |
| 119 | +**New Release Model:** |
| 120 | +- **One major release per year** (April), with LTS promotion in October |
| 121 | +- **Every release becomes LTS** - No more odd/even distinction (Node.js 27 will become LTS) |
| 122 | +- **Alpha channel** for early testing with semver-major changes allowed |
| 123 | +- **Alpha versioning** follows semver prerelease format (e.g., `27.0.0-alpha.1`) |
| 124 | +- **Version numbers align with calendar year** of initial Current release: 27.0.0 in 2027, 28.0.0 in 2028 |
| 125 | +- **Reduced Releasers' burden** through fewer concurrent release lines |
| 126 | + |
| 127 | +**Total Support Window:** 36 months from first Current release to End of Life (EOL) |
| 128 | + |
| 129 | +#### What's NOT Changing |
| 130 | + |
| 131 | +- **Long-Term Support duration** remains similar (30 months) |
| 132 | +- **Migration windows preserved**: Overlap between LTS versions remains |
| 133 | +- **Quality standards unchanged**: Same testing, same CITGM, same security process |
| 134 | +- **Predictable schedule**: April releases, October LTS promotion |
| 135 | +- **V8 adoption cycle**: Node.js latest releases will still include a version of V8 that's at most about 6 months old |
| 136 | + |
| 137 | +#### Timeline |
| 138 | + |
| 139 | +**Node.js 26 (Last release under current model):** |
| 140 | +Node.js 26 follows the existing schedule. This is the last release line under the current model. |
| 141 | + |
| 142 | +**Node.js 27 (First release under new model):** |
| 143 | +Node.js 27 is the first release line under the new schedule, launching in October 2026. |
| 144 | + |
| 145 | +**The Next 10 Years:** |
| 146 | +The schedule is not final and may be amended. The project maintains an up-to-date `schedule.json` in the Release repository for the authoritative support timeline. |
| 147 | + |
| 148 | +**Security Sustainability Impact:** |
| 149 | +This change directly addresses security sustainability concerns by reducing the number of concurrent release lines that require security backports, allowing the security team to focus resources more effectively. |
| 150 | + |
| 151 | +Work reference: https://nodejs.org/en/blog/announcements/evolving-the-nodejs-release-schedule |
| 152 | + |
| 153 | +### Proposal: Moving Security Reports to a Public Workflow |
| 154 | + |
| 155 | +On **February 26, 2026**, Rafael Gonzaga (Node.js Security Lead) opened a controversial but important discussion in the TSC about fundamentally changing how Node.js handles security reports: **moving from a private to a public workflow**. |
| 156 | + |
| 157 | +#### Context and Motivation |
| 158 | + |
| 159 | +**The Problem:** |
| 160 | +Over the last six months, the Node.js project has seen a significant increase in both contributions and HackerOne reports. This surge is largely driven by AI: contributors are using LLMs to fuzz and scan the codebase for potential vulnerabilities, and the reports received are remarkably similar, strongly suggesting they originate from the same or similar LLM/tooling. |
| 161 | + |
| 162 | +**Measures Already Taken:** |
| 163 | +1. **Raised HackerOne Signal requirement**: Now requires reporters to have a Signal score of 1.0 or higher to submit reports |
| 164 | +2. **Expanded Threat Model**: Clarified what is and isn't in scope in SECURITY.md |
| 165 | +3. **Automatic closure**: Reports that don't match requirements are automatically closed |
| 166 | + |
| 167 | +**Why These Measures Aren't Enough:** |
| 168 | +Despite these improvements, the team is still overwhelmed. Reports that get automatically closed due to insufficient signal are now reaching the OpenJS CNA email and following the escalation path, threatening to overwhelm that team as well. |
| 169 | + |
| 170 | +#### The Proposal |
| 171 | + |
| 172 | +**Key Insight:** |
| 173 | +Most reports received are not vulnerabilities according to the threat model, but that doesn't mean they aren't bugs worth fixing. The reports are also highly duplicated, which reveals something important: **anyone with access to a capable LLM can surface the same findings at any time**. These findings are effectively public already. |
| 174 | + |
| 175 | +**Core Argument:** |
| 176 | +If a commonly available tool can reproduce findings on demand, treating them as private secrets provides a false sense of security. Additionally, the disclosure policy is set to 90 days, and anyone could find valid vulnerabilities before a security release is even issued. |
| 177 | + |
| 178 | +**Proposed Solution:** |
| 179 | +Handle all security reports through a **public workflow**, similar to how Chromium/V8 operates. Benefits include: |
| 180 | + |
| 181 | +1. **Faster fixes**: Most reports aren't vulnerabilities but are bugs that would get fixed faster if visible to the entire contributor community instead of sitting in a private queue |
| 182 | +2. **Freed security team capacity**: Focus on dependency vulnerabilities and shipping releases faster (no need to lock CI and follow all 26 steps for non-vulnerabilities) |
| 183 | +3. **Sustainable triage**: Reduces the burden of triaging AI-generated noise |
| 184 | +4. **Defined embargo process**: Would still maintain a process for the rare cases that warrant an embargo |
| 185 | + |
| 186 | +**Note:** After discussion, it was clarified that Chromium/V8 does not handle security reports fully in public, though the issue tracker allows flipping visibility of bugs easily. |
| 187 | + |
| 188 | +#### Community Discussion |
| 189 | + |
| 190 | +This proposal has sparked significant discussion within the Node.js TSC and security community about: |
| 191 | + |
| 192 | +- **Balancing transparency with responsible disclosure** |
| 193 | +- **Managing AI-generated security reports at scale** |
| 194 | +- **Sustainability of volunteer-driven security processes** |
| 195 | +- **The changing nature of vulnerability discovery in the AI era** |
| 196 | + |
| 197 | +The discussion is ongoing and represents a critical conversation about the future of open-source security practices in an era of AI-powered vulnerability discovery. |
| 198 | + |
| 199 | +Work reference: https://github.com/nodejs/TSC/issues/1826 |
| 200 | + |
| 201 | +### Conference Presentation: The State of Node.js Security |
| 202 | + |
| 203 | +Rafael Gonzaga delivered a talk at **Node.js Congress** titled **"The State of Node.js Security"**, providing a comprehensive overview of: |
| 204 | + |
| 205 | +- Current security initiatives and the Permission Model evolution |
| 206 | +- Security release processes and automation improvements |
| 207 | +- Challenges facing the security team, including the AI-driven report surge |
| 208 | +- The new release schedule and its security sustainability benefits |
| 209 | +- Future directions for Node.js security |
| 210 | + |
| 211 | +This presentation provided valuable education to the Node.js community and gathered feedback on security priorities and concerns. |
| 212 | + |
| 213 | +## OpenJS Ecosystem |
| 214 | + |
| 215 | +### OpenJS CNA Operations |
| 216 | + |
| 217 | +The OpenJS Foundation CVE Numbering Authority (CNA) continued operations during March 2026, coordinating vulnerability disclosures across the JavaScript ecosystem. |
| 218 | + |
| 219 | +**Note:** Specific CVE assignments for March 2026 will be documented as they are published. |
| 220 | + |
| 221 | +### Security Collab Space Activities |
| 222 | + |
| 223 | +Continued support for OpenJS projects through: |
| 224 | +- Security policy reviews and updates |
| 225 | +- Incident Response Plan (IRP) development |
| 226 | +- Threat model creation and refinement |
| 227 | +- Security best practices guidance |
0 commit comments