This is a security release for Node.js and includes fixes for two high severity issues and one low severity issue.

Vulnerabilities fixed in Node.js

Updates are now available for v10,x, v12.x and v14.x Node.js release lines include fixes for the following vulnerabilities in Node.js:

• use-after-free in TLSWrap (High) (CVE-2020-8265): Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation.
• HTTP Request Smuggling in nodejs (High) (CVE-2020-8287): Affected versions of Node.js allow two copies of a header field in a http request. This can lead to HTTP Request Smuggling.
• OpenSSL - EDIPARTYNAME NULL pointer de-reference (low) (CVE-2020-1971): This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it here

Additional References

For details about the Node.js security releases and corresponding vulnerabilities, please refer to the links below:

• Node.js v10.23.1 (LTS)
• Node.js v12.20.1 (LTS)
• Node.js v14.15.4 (LTS)