Node.js Patches Multiple Vulnerabilities That Enable DoS Attacks and Process Crashes

On March 24, 2026, the Node.js project released a very important security update for the Long-Term Support (LTS) branch. This update made version 20.20.2 "Iron" a security release. The update fixes seven known security holes, including ones in TLS error handling, HTTP/2 flow control, cryptographic timing leaks, permission model bypasses, and a V8 hash-table weakness.

CVE-2026-21637 is the most serious problem in this group. It is an incomplete fix of a previous TLS vulnerability with the same identifier. Developers and system administrators should upgrade right away to the latest versions: v202026.1, v2222, v24141, or v8.2, v2022.1, or v22.2. v8-2.4.0-1.

CNN.com will have cybersecurity stories in a weekly Travel Snapshots gallery. Every week, go to CNN.com/Travel to see a new gallery of travel photos.

For the latest news on travel, travel, and online security, follow us on Twitter at @TravelSnapshots and @CNNTravel. In the next few weeks, we will also post stories on LinkedIn and X. The X.com Newsquiz is open to everyone and lets you test your knowledge of stories you have seen on the web.

Visit www.x.co.uk for more information about X, and www.xconomy.com for the Xconomy news site, which lets you submit your own stories. If you need private help, call the Samaritans at 08457 90 90 90 or go to a local Samaritans branch. You can find their website at www.samaritans.org.