Node.js released v25.8.1 with a module regression fix and an HTTP parser memory-safety patch
Node.js shipped v25.8.1 on March 11, 2026, in its Current line, with fixes for a module-loading regression and an llhttp use-after-free bug, according to the release notes.
TL;DR
In short: Upgrade if you run Node.js 25.x, especially if you ship mixed ESM/CommonJS packages or operate HTTP servers on 25.x. The release notes do not list a CVE identifier for the llhttp fix.
Key changes
- Module system: Node.js fixed a regression where extensionless CommonJS files failed to load inside packages that set “type”: “module” (PR #62083).
- HTTP parser (llhttp): Node.js fixed a use-after-free scenario in llhttp_execute when parser cleanup runs during execution (PR #62095).
- WebCrypto: Node.js fixed SubtleCrypto.importKey argument validation and added missing AES algorithm dictionaries (PR #62099).
- Web Compression Streams: Node.js accepted ArrayBuffer input for CompressionStream and DecompressionStream, and adjusted brotli error handling for spec alignment (PRs #61913, #62107).
- Dependencies: Node.js updated SQLite to 3.52.0 (PR #62150) and Ada to 3.4.3 (noted in the v25.8.1 release).
Details
The module fix targets a specific ESM and CommonJS interop case. Projects that rely on extensionless paths, such as require(“./lib/utils”) inside a package marked “type”:”module”, could fail after the regression, according to the PR description.
The HTTP change addresses a memory-safety bug in the llhttp execution path. The team describes the issue as a use-after-free risk when code frees the parser while llhttp_execute still runs, and the fix adds guard logic to abort parsing early (PR #62095).
On crypto, v25.8.1 tightens input validation in SubtleCrypto.importKey. The PR notes Node.js should require five arguments, and it adds missing AES parameter dictionaries that affect WebCrypto algorithm parsing (PR #62099).
On streams, Node.js now accepts raw ArrayBuffer input for Web Compression Streams, and it changes brotli decompression error handling to better match the Web Platform Tests expectations, according to the stream PRs.
How to upgrade
Check your version with node –version. Install v25.8.1 with your version manager, then rerun node –version to confirm the upgrade.
- nvm: Run nvm install 25.8.1, then select it in your shell.
- n: Run n 25.8.1.
- CI and containers: Update any pinned Node.js version strings in workflows and base images, then run your HTTP smoke tests and module-loading tests first.
Background
Node.js 25 is a Current line release, not an LTS line. Teams that only deploy LTS releases may treat this update as informational unless they already standardized on 25.x.
Other changes in this release include test and tooling updates, dependency bumps, and doc fixes, the usual.
Official notes
The Node.js project published the full changelog for v25.8.1 on GitHub and on nodejs.org. See: https://github.com/nodejs/node/releases/tag/v25.8.1
π οΈ Try These Free Tools
Paste your dependency file to check for end-of-life packages.
Plan your upgrade path with breaking change warnings and step-by-step guidance.
Paste your workflow YAML to audit action versions and pinning.
Track These Releases