Security Advisory - Updated 2026-06-24 - Node.js runtime

Node runtime batch: check expression, proxy, desktop, TLS, and cookie boundaries

This Node batch is about trusted boundaries inside application code: expression compilation, middleware coverage, proxy body handling, desktop runtime buffers, TLS compatibility, and cookie serialization. Patch dependencies, then review where user input or network traffic crosses those boundaries before validation.

Defensive scope: use this page on repositories, services, and proxies you own or are approved to review. Do not test third-party routes.

Affected packages

CVEPackageAffected / fixedReviewCVSS
CVE-2026-12866expr-evalNo fixed releaseRemove untrusted toJSFunction use or replace expr-eval until a fixed release is available9.8
CVE-2026-54257Electron42.3.1 / 42.3.2Upgrade Electron to 42.3.3 and rebuild affected desktop packages9.3
CVE-2026-54281@nestjs/platform-fastify< 11.1.24Upgrade NestJS to 11.1.24 or newer and review Fastify route middleware coverage8.7
CVE-2026-55603http-proxy-middleware3.0.7 / 4.1.1Upgrade http-proxy-middleware to 3.0.7 or 4.1.1 and review fixRequestBody use7.5
CVE-2026-44726Deno2.0.0-2.7.7Upgrade Deno to 2.7.8 or newer and review Node TLS compatibility clients7.4
CVE-2026-56762Hono< 4.12.12Upgrade Hono to 4.12.12 and review code that accepts user-controlled cookie names6.9

Owner self-check

grep -Rni '"expr-eval"\\|"electron"\\|"@nestjs/platform-fastify"\\|"http-proxy-middleware"\\|"hono"\\|"deno"' package.json package-lock.json pnpm-lock.yaml yarn.lock deno.json deno.lock 2>/dev/null
grep -Rni 'toJSFunction\\|new Parser\\|MiddlewareConsumer\\|forRoutes\\|FastifyAdapter\\|fixRequestBody\\|multipart/form-data\\|setCookie\\|serializeSigned\\|Deno.connectTls\\|autoSelectFamily' src server app 2>/dev/null | head -180
grep -Rni 'proxy\\|middleware\\|auth\\|unauthorized\\|validation\\|worker\\|secureConnect\\|cookie' logs var/log 2>/dev/null | tail -180

What to review

  • expr-eval: any use of `toJSFunction()` with expressions that come from users, tenants, scripts, formulas, dashboards, or workflow rules.
  • Electron: desktop builds based on 42.3.1 or 42.3.2, especially packaged apps that handle untrusted binary input.
  • NestJS: Fastify adapter routes protected by middleware registered through `MiddlewareConsumer.forRoutes()`.
  • http-proxy-middleware: gateways that use `fixRequestBody()` after a body parser has already consumed multipart form data.
  • Deno: services using Node TLS compatibility behavior for outbound clients on dual-stack networks.
  • Hono: code that accepts user-controlled cookie names before calling `setCookie()`, `serialize()`, or `serializeSigned()`.
  • Logs for requests that reached privileged route handlers, upstream services, or worker processes without the expected validation record.

Safe fix path

  1. Remove untrusted expr-eval `toJSFunction()` use. If the path is required, isolate it from production secrets and customer data.
  2. Upgrade Electron desktop builds to 42.3.3 and rebuild distributed packages.
  3. Upgrade NestJS to 11.1.24 or newer and rerun route authorization tests for the Fastify adapter.
  4. Upgrade http-proxy-middleware to 3.0.7 or 4.1.1 and recheck body-parser and upstream validation behavior.
  5. Upgrade Deno to 2.7.8 or newer where Node TLS compatibility is used.
  6. Upgrade Hono to 4.12.12 or newer and reject invalid cookie names before writing headers.
  7. Preserve proxy, API, and worker logs before rotating tokens or rebuilding containers.

Repair help

Use Ping7 CVE Repair when a public API compiles user expressions, Fastify middleware protects sensitive routes, proxy validation is split from upstream parsing, desktop builds need rebuild review, or logs need review before redeploy.

References