- Added permission check that throws on InternalWorker usage when the permission model is enabled (CVE‑2025‑23083).
- Patched HTTP/2 memory leak and ERR_PROTO handling, and fixed path traversal in normalize() on Windows (CVE‑2025‑23085, CVE‑2025‑23084).
- Updated undici to v6.21.1, addressing CVE‑2025‑22150 (insufficiently random values).
Community impact
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.