Node v9.10.0 (Current)

Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.

Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value that is either not subject to DNS resolution or matches localhost or localhost6 .

Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.

Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.

Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

cluster: Add support for NODE_OPTIONS="--inspect" (Sameer Srivastava) #19165

crypto: Expose the public key of a certificate (Hannes Magnusson) #17690

n-api: Add napi_fatal_exception to trigger an uncaughtException in JavaScript (Mathias Buus) #19337

path: Fix regression in posix.normalize (Michaël Zasso) #19520

stream: Improve stream creation performance (Brian White) #19401