resolved
TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak
Bug reported by Max Harari was disclosed at February 12, 2026, 2:42 pm | Uncontrolled Resource Consumption
A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate process termination or silent file descriptor leaks that eventually led to denial of service. Because these callbacks processed attacker-controlled input during the TLS handshake, a remote client could repeatedly trigger the issue. The vulnerability affected TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks threw without being safely wrapped.
resolved
Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)
Bug reported by Winfunc was disclosed at February 12, 2026, 2:42 pm | Server-Side Request Forgery (SSRF)
A flaw was discovered in Node.js's permission model that allowed Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` was enabled. Even without `--allow-net`, attacker-controlled inputs could connect to arbitrary local sockets via net, tls, or undici/fetch, breaking the intended security boundary of the permission model.
resolved
Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers
Bug reported by Aaron Brown was disclosed at February 12, 2026, 2:42 pm | Improper Handling of Exceptional Conditions
A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when `async_hooks.createHook()` was enabled. Instead of reaching `process.on('uncaughtException')`, the process terminated, making the crash unrecoverable.
resolved
Memory leak that enables remote Denial of Service against applications processing TLS client certificates
Bug reported by Anteater was disclosed at February 12, 2026, 2:41 pm | Uncontrolled Resource Consumption
A memory leak was discovered in Node.js's OpenSSL integration when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. The vulnerability was triggered when applications called `socket.getPeerCertificate(true)`, causing steady memory growth through repeated TLS connections.
resolved
Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled
Bug reported by Nikita Skovoroda was disclosed at February 12, 2026, 2:41 pm | Improper Initialization
A flaw in Node.js's buffer allocation logic was discovered, where buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations under specific timing conditions.
resolved
FS Permissions Bypass
Bug reported by Natan Nehorai was disclosed at February 12, 2026, 2:41 pm | Violation of Secure Design Principles
A flaw was discovered in Node.js's Permissions model that allowed attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory could escape the allowed path and read sensitive files. This broke the expected isolation guarantees and enabled arbitrary file read/write.
resolved
Mail stored HTML injection in subject text
Bug reported by se1en was disclosed at February 12, 2026, 1:52 pm |
A vulnerability was discovered in the mail stored HTML injection in subject text. The vulnerability allowed for arbitrary HTML code to be injected into the subject line of emails stored in the system.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
