December 2025 – March 2026 | Powered by the Alpha-Omega Partnership

TLDR: The OpenJS Foundation’s Q1 2026 security update details the coordination of two major Node.js releases addressing 17 CVEs and the advancement of the Node.js Permission Model. The report also highlights the foundation's efforts to adapt to a surge in AI-driven vulnerability reports while navigating critical challenges like bug bounty program pauses and long-term project sustainability.

The OpenJS Foundation's security team delivered significant security improvements across the Node.js runtime and JavaScript ecosystem during Q1 2026. We coordinated two major security releases addressing 17 CVEs, published 18 ecosystem CVEs through our CNA operations, advanced the Permission Model with new observability features, evolved the Node.js release strategy for long-term sustainability, and navigated critical challenges including the bug bounty program pause and AI-driven report surges. Here's a comprehensive look at what we accomplished between December 2025 and March 2026.

Node.js Security Releases

Two major Node.js security releases shipped this quarter, addressing a total of 17 CVEs across all active release lines (20.x, 22.x, 24.x, and 25.x).

January 13, 2026 Security Release

A coordinated release addressed eight vulnerabilities including three high-severity, four medium-severity, and one low-severity issue. The team also published two additional advisories:

• DoS Mitigation Advisory: Published guidance for React, Next.js, and APM users regarding async hooks stack exhaustion, helping the broader ecosystem understand and mitigate this specific attack vector.
• OpenSSL Security Assessment: Evaluated the impact of 12 OpenSSL CVEs on Node.js, providing clear guidance to users about which vulnerabilities affect their deployments and which are mitigated by Node.js's usage patterns.

March 24, 2026 Security Release

A comprehensive release addressed nine CVEs across all active release lines, including critical fixes and several Permission Model improvements:

High-Severity Issues:

• CVE-2026-21637: TLS SNICallback vulnerability allowing server crashes via malformed server names (incomplete fix of prior vulnerability)
• CVE-2026-21710: HTTP header denial-of-service through specially crafted proto headers causing unhandled crashes

Medium-Severity Issues:

• CVE-2026-21711: Permission Model bypass for Unix Domain Sockets
• CVE-2026-21712: URL processing crash with malformed internationalized domain names
• CVE-2026-21713: Timing attack vulnerability in HMAC verification
• CVE-2026-21714: Memory leak in HTTP/2 servers via malformed flow control messages
• CVE-2026-21717: Hash collision attack in V8 affecting JSON parsing performance

Low-Severity Issues:

• CVE-2026-21715: Permission Model bypass for file path resolution
• CVE-2026-21716: Incomplete fix for file permission bypass in promise-based APIs

Key Observations:

• Three CVEs related to Permission Model bypasses, demonstrating both increased security scrutiny and ongoing maturation of this feature
• Two CVEs representing incomplete fixes of prior vulnerabilities, highlighting the importance of comprehensive API surface testing
• Emerging trend: AI-driven vulnerability discovery through automated fuzzing is becoming a significant part of the threat landscape, with many reports showing similar patterns suggesting common LLM/tooling origins

Expanding the Permission Model

The Permission Model received significant attention this quarter, with major advances in both security hardening and developer experience.

Security Fixes

Multiple vulnerabilities were identified and patched:

• Addressed security issues related to symlink operations on Windows, ensuring consistent cross-platform behavior
• Fixed permission bypass in file timestamp modification operations (futimes)
• Triaged and patched unsafe Buffer usage patterns
• Resolved security issues in TLSSocket operations
• Fixed three CVEs in March release: bypasses in Unix Domain Sockets (CVE-2026-21711), file path resolution (CVE-2026-21715), and promise-based file operations (CVE-2026-21716)

Observability and Developer Experience

Permission Audit Mode (PR #61869): Introduced --permission-audit, a groundbreaking feature that transforms how teams can evaluate Permission Model adoption. Rather than throwing errors and blocking execution, this mode emits permission check events through diagnostics channels, allowing applications to:

• Monitor permission checks in production without enforcement
• Understand actual permission requirements before restricting access
• Evaluate adoption impact on existing applications
• Debug permission-related issues more effectively

The implementation also added C++ support for diagnostics channels, improving efficiency by eliminating unnecessary JavaScript boundary transitions and making permission-related observability more performant for native-side checks.

Testing and Quality

Expanded test coverage to include additional edge cases, strengthening the reliability of the permission enforcement layer and ensuring comprehensive protection across all API surfaces.

Improving Vulnerability Triage and Tooling

Managing the volume and quality of incoming HackerOne reports has been a consistent challenge, particularly with the surge in AI-generated submissions. This quarter, the team made meaningful progress on multiple fronts.

HackerOne Signal Requirement

A new Signal score requirement (minimum 1.0) was introduced and announced on the Node.js blog. The policy change was critical: over 30 invalid reports were received during the December 15 to January 15 holiday period alone — a significant triaging burden on volunteer maintainers that was simply unsustainable.

Key aspects:

• Researchers who fall below the threshold can still reach the security team through the OpenJS Foundation Slack
• The change helps focus limited volunteer time on actionable vulnerabilities
• Part of ongoing discussions in the Node.js Vulnerability Working Group about balancing accessibility with sustainability

Continuous Triage Improvements

Throughout the quarter, the team:

• Validated and triaged numerous HackerOne reports, ensuring actionable and reproducible issues
• Reviewed AWS-reported security issue #3407207 for potential Node.js impact
• Strengthened report closure validation processes with better verification and documentation
• Improved coordination between HackerOne, OpenJS CNA, and the security team

Security Release Automation

Several critical improvements shipped to streamline the security release process:

• Security release tooling now handles cveId fields automatically, reducing manual steps
• Improved CVE request workflows in node-core-utils with refined --request-cve command
• Added --newVersion flag documentation for security release workflows
• Security backport commits now require PR-URL metadata for better traceability
• Restored accurate vulnerability database generation in nodejs-dependency-vuln-assessments
• Listed security-team in Node.js core governance for improved coordination

Threat Model and Documentation Updates

• Updated threat model documentation to better define security boundaries around API surfaces
• Added information about potential CVE publication delays to security release documentation
• Continued work on Vulnerability Exploitability eXchange (VEX) files to help downstream consumers accurately assess which CVEs are exploitable in their deployments

OpenJS CNA: Ecosystem CVE Coordination

As a CVE Numbering Authority, the OpenJS Foundation published 18 CVEs this quarter across ecosystem projects, demonstrating the breadth of security coordination across the JavaScript ecosystem.

Published CVEs by Project

Lodash (3 CVEs):

• CVE-2025-13465 (lodash@4.17.23): Moderate-severity prototype pollution in .unset and .omit functions
• CVE-2026-4800 (lodash@4.18.0): High-severity code injection via _.template imports key names
• CVE-2026-2950 (lodash@4.18.0): Moderate-severity prototype pollution via array path bypass in .unset and .omit

Multer (3 CVEs):

• CVE-2026-2359 (multer@2.1.0): High-severity denial-of-service via resource exhaustion
• CVE-2026-3304 (multer@2.1.0): High-severity DoS via incomplete cleanup
• CVE-2026-3520 (multer@2.1.1): High-severity DoS via uncontrolled recursion

Undici (6 CVEs):

• CVE-2026-2581 (undici@7.24.0): Moderate-severity DoS via unbounded memory consumption in DeduplicationHandler
• CVE-2026-1527 (undici@6.24.0/7.24.0): Moderate-severity CRLF injection via upgrade option
• CVE-2026-1528 (undici@6.24.0/7.24.0): Moderate-severity DoS via malicious WebSocket 64-bit length overflow
• CVE-2026-2229 (undici@6.24.0/7.24.0): Moderate-severity DoS via invalid WebSocket server_max_window_bits validation
• CVE-2026-1526 (undici@6.24.0/7.24.0): Moderate-severity DoS via unbounded WebSocket permessage-deflate decompression
• CVE-2026-1525 (undici@6.24.0/7.24.0): Moderate-severity HTTP request/response smuggling

Fastify Ecosystem (3 CVEs):

• CVE-2026-2880 (@fastify/middie@9.2.0): High-severity authentication bypass via path normalization inconsistency
• CVE-2026-3419 (fastify@5.8.1): Moderate-severity validation bypass with malformed Content-Types
• CVE-2026-3635 (fastify@5.8.3): Moderate-severity request.protocol and request.host spoofing via X-Forwarded headers

path-to-regexp (3 CVEs):

• CVE-2026-4926 (path-to-regexp@8.4.0): High-severity DoS via sequential optional groups
• CVE-2026-4923 (path-to-regexp@8.4.0): Moderate-severity ReDoS via multiple wildcards
• CVE-2026-4867 (path-to-regexp@0.1.13): High-severity ReDoS via multiple route parameters

CNA Operations Improvements

• Adopted cve-kit v1.0.0, a community-built open source tool for creating and publishing CVE records
• Provided security policy reviews, incident response planning, and threat modeling support to OpenJS ecosystem members
• Coordinated several CVEs through volunteer community efforts

Ecosystem Security: Fastify, Webpack, and Lodash

Security work extended well beyond Node.js this quarter, with significant investments in ecosystem-wide security infrastructure.

Fastify

• Received comprehensive threat model documentation, continuing the pattern established with Express, Lodash, and Webpack
• Coordinated fixes for CVE-2026-3419 (validation bypass) and CVE-2026-3635 (header spoofing)

Webpack

• Established a formal security triage team (https://github.com/webpack/security-wg/pull/17)
• Created infrastructure for ongoing security coordination and vulnerability management

Lodash

• Completed a major security overhaul bringing Lodash's security posture in line with OpenJS Foundation standards
• Published resources:
• Socket.dev blog post: "Inside Lodash Security Reset"
• OpenJS Foundation blog: "Lodash Security Overhaul"
• Published CVE-2025-134655 under the OpenJS Foundation CNA
• Addressed three CVEs including prototype pollution and code injection vulnerabilities

Documentation and Education

• Updated Node.js security feature documentation on MDN Web Docs
• Released Secure npm Publishing Guide v2 with refined recommendations for maintainers on secure publishing workflows, including trusted publishing and CI-based approaches
• Recorded educational shorts for the OpenJS Foundation YouTube channel

Addressing Sustainability Challenges

Bug Bounty Program Pause

The Node.js project announced the pause of its security bug bounty program following discontinued funding from the Internet Bug Bounty (IBB) initiative. This marks the end of an eight-year partnership that began in 2016.

Key points:

• The IBB program, which supported bounty rewards through a pooled donation-funded initiative, was paused — a decision not made by the Node.js project
• As a volunteer-driven open-source project, Node.js does not have an independent budget to sustain a bounty program
• Security reporting remains unchanged: The project continues to accept and triage vulnerability reports through HackerOne
• No monetary rewards: Reports are no longer eligible for bounty payouts
• Same commitment to security: The disclosure policy, response times, and release process remain unchanged

Looking ahead: The project will re-evaluate resuming the bounty program if dedicated funding becomes available. Organizations depending on Node.js and interested in sponsoring are encouraged to reach out through the OpenJS Foundation.

Community gratitude: The team expressed sincere thanks to every researcher who reported vulnerabilities over the years, acknowledging their contributions made Node.js safer for millions of users.

Proposal: Public Security Workflow Discussion

In February 2026, the Node.js Security Lead opened a significant discussion (TSC#1826) about fundamentally changing how Node.js handles security reports: moving from a private to a public workflow.

The challenge: Over the last six months, the project has seen a surge in HackerOne reports largely driven by AI-powered fuzzing and scanning tools. Reports are remarkably similar, suggesting common LLM/tooling origins.

Key insight: Most reports aren't vulnerabilities according to the threat model, but they are bugs worth fixing. The reports are highly duplicated — anyone with access to a capable LLM can surface the same findings at any time. These findings are effectively public already.

The proposal: Handle all security reports through a public workflow, allowing:

• Faster fixes through community visibility instead of private queues
• Security team capacity freed to focus on dependency vulnerabilities and faster releases
• Sustainable triage by reducing AI-generated noise
• Defined embargo process for rare cases warranting it

Status: This controversial but important discussion is ongoing, representing a critical conversation about the future of open-source security practices in the AI era.

Evolving the Node.js Release Strategy

One of the most significant announcements of the quarter concerns fundamental changes to the Node.js release strategy, effective with Node.js 27 in October 2026. This represents the most significant evolution of the release process in 10 years.

Why This Change

Data-driven decision: The current schedule is 10 years old, created during the io.js merger as "an educated guess." After a decade of data:

• Odd-numbered releases see minimal adoption — most users wait for LTS
• The odd/even distinction confuses newcomers
• Organizations skip odd releases entirely, upgrading only to LTS versions

Volunteer sustainability: Managing security releases across four or five active release lines has become difficult to sustain. Each additional line increases backporting complexity. Reducing concurrent release lines allows the team to focus on releases people actually use.

What's Changing (Starting October 2026)

• One major release per year (April), with LTS promotion each October
• Every release becomes LTS — eliminating the long-standing odd/even numbering distinction (Node.js 27 will become LTS)
• Alpha channel for early testing with semver-major changes allowed, replacing odd-numbered releases
• 36-month support window per release (6 months current + 30 months LTS)
• Version numbers align with calendar year: 27.0.0 in 2027, 28.0.0 in 2028
• Published 10-year schedule covering Node.js 27 through 36

What's NOT Changing

• Long-Term Support duration remains similar (30 months)
• Migration windows preserved — overlap between LTS versions remains
• Quality standards unchanged — same testing, same CITGM, same security process
• Predictable schedule — April releases, October LTS promotion
• V8 adoption cycle — Node.js will still include V8 versions at most about 6 months old

Security Sustainability Impact

These changes directly address security sustainability by:

• Reducing the number of concurrent release lines requiring security backports
• Allowing the security team to focus resources more effectively
• Decreasing the volunteer burden while maintaining security quality
• Providing predictability for security planning and resource allocation

Community Engagement

• Organized security and release sessions at the Node.js Collaboration Summit
• Gathered community feedback on the new strategy
• Published comprehensive blog post explaining the rationale and timeline

Conference and Community Engagement

• Delivered "The State of Node.js Security" talk at Node.js Congress covering current initiatives, Permission Model evolution, security release processes, AI-driven report challenges, and future directions
• Organized and facilitated security and release strategy sessions at the Collaboration Summit
• Created educational shorts for the OpenJS Foundation YouTube channel
• Active participation in Vulnerability Working Group discussions about improving report quality and sustainable triage processes

Q1 2026 By the Numbers

• 17 Node.js CVEs addressed across two major security releases
• 18 ecosystem CVEs published through OpenJS CNA operations
• 30+ invalid reports during December-January holiday period (driving policy changes)
• 4 active release lines maintained and patched (20.x, 22.x, 24.x, 25.x)
• 3 major ecosystem projects received comprehensive security support (Fastify, Webpack, Lodash)
• 12 OpenSSL CVEs assessed for Node.js impact
• 10-year release schedule published (Node.js 27-36)

Looking Forward

Q1 2026 demonstrated both the maturity of Node.js security practices and the evolving challenges of maintaining security in a volunteer-driven, AI-influenced ecosystem. Key themes moving forward:

• Sustainability first: The new release schedule and ongoing discussions about public workflows reflect a commitment to long-term sustainability
• AI-era security: Adapting processes to handle AI-driven vulnerability discovery while maintaining quality
• Community collaboration: Continued investment in ecosystem-wide security through CNA operations and project support
• Permission Model maturation: Ongoing development of observability and enforcement features
• Transparent communication: Open discussion about challenges, funding, and process evolution

The team remains committed to maintaining the highest security standards while addressing the practical realities of volunteer-driven open-source security operations.