Security updates for all active release lines, July 2017

June 27th, 2017


The Node.js project will be releasing new versions across all of its active release lines (4.x, 6.x, 8.x) as well as 7.x the week of July 10th 2017 to incorporate a security fix.

Denial of Service Vulnerability

All current versions of v4.x through to v8.x inclusive are vulnerable to an issue that can be used by an external attacker to cause a denial of service. The severity of this vulnerability is high and users of the affected versions should plan to upgrade when a fix is made available.


  • Versions 4.x of Node.js are vulnerable
  • Versions 6.x of Node.js are vulnerable
  • Versions 7.x of Node.js are vulnerable
  • Versions 8.x of Node.js are vulnerable

Release timing

Releases will be available at, or shortly after, Tuesday the 11th of July along with disclosure of the details for the vulnerability in order to allow for complete impact assessment by users.

Contact and future updates

The current Node.js security policy can be found at

Please contact if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation.