Skip to content

Upgrade nodejs to version 24.17.0 to fix multiple CVEs#17788

Merged
kgodara912 merged 2 commits into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_nodejs24-3.0
Jun 24, 2026
Merged

Upgrade nodejs to version 24.17.0 to fix multiple CVEs#17788
kgodara912 merged 2 commits into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_nodejs24-3.0

Conversation

@SumitJenaHCL

@SumitJenaHCL SumitJenaHCL commented Jun 23, 2026

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?
This PR is upgrade core package nodejs to version 24.17. Bumping the icu component version of 78.3 and npm to 11.13.

Change Log
  • SPECS/nodejs/CVE-2026-33671.patch
  • SPECS/nodejs/CVE-2026-33672.patch
  • SPECS/nodejs24/nodejs24.signatures.json
  • SPECS/nodejs24/nodejs24.spec
  • cgmanifest.json
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 23, 2026
@SumitJenaHCL

Copy link
Copy Markdown
Author

@SumitJenaHCL

Copy link
Copy Markdown
Author

Verified the ICU mismatch and segfault from #17161 stay resolved with the nodejs 24.17.0 upgrade: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1145300&view=results

Reproduced the issue's ICU check and its exact TypeSpec reproducer against the nodejs-24.17.0-1.azl3 / nodejs-full-i18n-24.17.0-1.azl3 / nodejs-npm-24.17.0-1.azl3 RPMs on linux/amd64, in the OneBranch build image (mcr.microsoft.com/onebranch/azurelinux/build:3.0):

image

Binary (ICU 78) and the -full-i18n data file (icudt78l.dat) are consistent on amd64 — the root cause called out in #17161 — and @typespec/compiler@1.11.0 compiles cleanly (docker exit: 0), with no Segmentation fault / exit 139. Repeated runs back-to-back, all clean.

@SumitJenaHCL SumitJenaHCL marked this pull request as ready for review June 23, 2026 22:01
@SumitJenaHCL SumitJenaHCL requested a review from a team as a code owner June 23, 2026 22:01
@sandeepkarambelkar

Copy link
Copy Markdown
Contributor

NPM version matches the upstream reference - https://github.com/nodejs/node/blob/v24.17.0/deps/npm/package.json
ICU version matches the upstream reference - https://github.com/nodejs/node/blob/v24.17.0/tools/icu/current_ver.dep

Changes LGTM.

@sandeepkarambelkar sandeepkarambelkar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Buddy Build Passed.
ICU and NPM versions verified against upstream and updated to the referenced versions.
Removed patches for CVE fixes.

@kgodara912 kgodara912 changed the title Upgrade nodejs to version 24.17.0 Upgrade nodejs to version 24.17.0 to fix multiple CVEs Jun 24, 2026

@kgodara912 kgodara912 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #17788 Verification — Upgrade nodejs to version 24.17.0

Build Verification

  • Pipeline (run 1145300): SUCCEEDED
  • Patches applied: 12/12 applied cleanly
  • Build errors: None (29 false positives — V8 object file names containing "error")
  • Build warnings: 3770 — standard C/C++ compiler noise

Verdict: PASS


Upstream Release Analysis (24.14.1 → 24.17.0)

The upgrade spans 3 intermediate releases:

24.17.0 (2026-06-18) — Security Release

  • (High) CVE-2026-48618 — tls: normalize hostname for server identity checks
  • (High) CVE-2026-48933 — crypto: guard WebCrypto cipher output length
  • (Medium) CVE-2026-48615 — lib: redact proxy credentials in tunnel errors
  • (Medium) CVE-2026-48619 — http2: cap originSet size (unbounded memory growth)
  • (Medium) CVE-2026-48928 — tls: fix case-sensitive SNI context matching
  • (Medium) CVE-2026-48930 — dns,net: reject hostnames with embedded NUL bytes
  • (Medium) CVE-2026-48934 — tls: bind reusable sessions to authenticated host
  • (Medium) CVE-2026-48937 — deps: fix nghttp2 integration issues
  • (Low) CVE-2026-48617 — permission: handle process.chdir on writereport
  • (Low) CVE-2026-48931 — http: fix response queue poisoning in http.Agent
  • (Low) CVE-2026-48935 — permission: disable FileHandle utimes with permission model

24.16.0 (2026-05-21) — Regular LTS

Additive SEMVER-MINOR only: crypto.randomUUIDv7(), fs.stat() signal option, http: harden ClientRequest options merge, http: req.signal on IncomingMessage, deps bumps (llhttp 9.4.1, undici 7.28.0, ICU 78.3).

24.15.0 (2026-04-15) — Regular LTS

Additive SEMVER-MINOR only: --max-heap-size, require(esm) stable, http2: http1Options, net.setTOS/getTOS, deps bumps (npm 11.12.1, sqlite 3.51.3).

Breaking changes: None. The nghttp2 SEMVER-MAJOR tag is internal-only (required to ship CVE-2026-48937 fix). No API removals, no deprecation escalations.


CVE-2026-33671 & CVE-2026-33672 Subsumption

Both CVEs affect picomatch (bundled via npm → tinyglobby):

  • CVE-2026-33671 (High 7.5) — ReDoS via crafted extglob quantifiers. Fixed in picomatch ≥ 2.3.2 (5eceecd)
  • CVE-2026-33672 (Medium 5.3) — Prototype pollution via POSIX bracket expressions. Fixed in picomatch ≥ 2.3.2 (4516eb5)

Confirmed fixed by this upgrade. The PR deletes Patch6: CVE-2026-33671.patch and Patch7: CVE-2026-33672.patch (previously backported onto 24.14.1). Node.js 24.17.0 bundles npm 11.13.0 which ships a picomatch version that already includes both upstream fixes.


Release notes:
https://nodejs.org/en/blog/release/v24.17.0
https://nodejs.org/en/blog/release/v24.16.0
https://nodejs.org/en/blog/release/v24.15.0

Summary

  • ✅ Build succeeds
  • ✅ No breaking changes from 24.14.1 → 24.17.0
  • CVE-2026-33671 and CVE-2026-33672 subsumed by the upgrade (patches correctly removed)
  • ✅ 11 additional Node.js security CVEs resolved

LGTM

@kgodara912 kgodara912 merged commit beffe16 into microsoft:3.0-dev Jun 24, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants