http: avoid stream listeners on idle agent sockets#64004
Merged
nodejs-github-bot merged 1 commit intoJun 20, 2026
Conversation
Collaborator
|
Review requested:
|
nodejs-github-bot
added
http
Member
Author
|
@nodejs/releasers unfortunately, we would need to backport this to node 22.x and 24.x to fix node-fetch@2. |
mcollina
added
lts-watch-v22.x
Member
Author
|
I'm sorry I should have caught this before shipping. |
Renegade334
approved these changes
Jun 19, 2026
Renegade334
left a comment
Renegade334
left a comment
Member
There was a problem hiding this comment.
Side-note: I had a cursory look for guidance on Node.js internals managing EventEmitter events on emitter-derived Node.js classes, and found none. My feeling is that we don't ordinarily consider changes related to internally-managed event listeners to be semver-major, even though they're publicly observable. Maybe we should elucidate what our stance is, and make it explicit in the EventEmitter documentation?
Renegade334
added
the
fast-track
Contributor
|
Fast-track has been requested by @Renegade334. Please 👍 to approve. |
anonrig
approved these changes
Jun 19, 2026
2 tasks
bjohansebas
approved these changes
Jun 19, 2026
github-actions
Bot
removed
the
request-ci
Collaborator
jasnell
approved these changes
Jun 19, 2026
github-actions
Bot
removed
the
request-ci
Collaborator
Signed-off-by: Matteo Collina <hello@matteocollina.com>
mcollina
force-pushed
the
fix-http-agent-free-socket-onread
branch
from
8d8919c to
0d62f61
Compare
ronag
approved these changes
Jun 20, 2026
github-actions
Bot
removed
the
request-ci
Collaborator
ronag
approved these changes
Jun 20, 2026
Collaborator
nodejs-github-bot
removed
the
commit-queue
Collaborator
Commit Queue failed- Loading data for nodejs/node/pull/64004 ✔ Done loading data for nodejs/node/pull/64004 ----------------------------------- PR info ------------------------------------ Title http: avoid stream listeners on idle agent sockets (#64004) Author Matteo Collina <matteo.collina@gmail.com> (@mcollina) Branch mcollina:fix-http-agent-free-socket-onread -> nodejs:main Labels http, fast-track, author ready, needs-ci, lts-watch-v22.x, lts-watch-v24.x Commits 1 - http: avoid stream listeners on idle agent sockets Committers 1 - Matteo Collina <hello@matteocollina.com> PR-URL: https://github.com/nodejs/node/pull/64004 Fixes: https://github.com/nodejs/node/issues/63989 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/64004 Fixes: https://github.com/nodejs/node/issues/63989 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> -------------------------------------------------------------------------------- ℹ This PR was created on Fri, 19 Jun 2026 14:49:05 GMT ✔ Approvals: 4 ✔ - René (@Renegade334): https://github.com/nodejs/node/pull/64004#pullrequestreview-4533753549 ✔ - Yagiz Nizipli (@anonrig) (TSC): https://github.com/nodejs/node/pull/64004#pullrequestreview-4533914964 ✔ - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/64004#pullrequestreview-4535587792 ✔ - Robert Nagy (@ronag) (TSC): https://github.com/nodejs/node/pull/64004#pullrequestreview-4536884413 ℹ This PR is being fast-tracked ✘ This PR needs to wait 25 more hours to land (or 0 hours if there is 1 more approval (👍) of the fast-track request from collaborators). ✔ Last GitHub CI successful ℹ Last Full PR CI on 2026-06-20T10:50:37Z: https://ci.nodejs.org/job/node-test-pull-request/74300/ - Querying data for job/node-test-pull-request/74300/ ✔ Build data downloaded ✔ Last Jenkins CI successful -------------------------------------------------------------------------------- ✔ Aborted `git node land` session in /home/runner/work/node/node/.ncuhttps://github.com/nodejs/node/actions/runs/27873727043 |
nodejs-github-bot
added
the
commit-queue-failed
aduh95
added
commit-queue
nodejs-github-bot
removed
the
commit-queue
Collaborator
|
Landed in 57a4932 |
This was referenced Jun 20, 2026
kaviththiranga
added a commit
to kaviththiranga/backstage-plugins
that referenced
this pull request
Jun 22, 2026
…egression
With authz enabled the portal showed "Failed to load platform details"
and broken catalog views: the catalog's internal call to the permission
backend (node-fetch@2 via cross-fetch -> /api/permission/authorize)
failed with ERR_STREAM_PREMATURE_CLOSE, surfacing as a 500 on
/api/catalog/entities/by-refs.
Root cause is the Node 22.23.0 / 24.17.0 security fix for CVE-2026-48931
("response queue poisoning in http.Agent"), which changed keep-alive
socket-reuse behaviour and exposes a latent node-fetch@2 bug (its
malformed-chunked-response detector throws false-positive premature-close
on reused pooled sockets). The base image node:22-bookworm-slim floated
to 22.23.0, which is why this appeared in newly built images. Pin to
22.22 (last release before the regression) until the Node 22.x patch
with nodejs/node#64004 ships.
- backstage/backstage#34651
- nodejs/node#63989
- nodejs/node#64004
Also drop the duplicated helmet/cors/compression from the root router
configure block — applyDefaults() already applies them, so they ran
twice; keep only the IDP token middleware before applyDefaults().
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Is this also backported to 22 and 24 series, and a release created for both? |
@xnox, this unfortunately didn't land as a patch release. I see it's bundled in the |
kaviththiranga
added a commit
to kaviththiranga/backstage-plugins
that referenced
this pull request
Jun 22, 2026
…egression
With authz enabled the portal showed "Failed to load platform details"
and broken catalog views: the catalog's internal call to the permission
backend (node-fetch@2 via cross-fetch -> /api/permission/authorize)
failed with ERR_STREAM_PREMATURE_CLOSE, surfacing as a 500 on
/api/catalog/entities/by-refs.
Root cause is the Node 22.23.0 / 24.17.0 security fix for CVE-2026-48931
("response queue poisoning in http.Agent"), which changed keep-alive
socket-reuse behaviour and exposes a latent node-fetch@2 bug (its
malformed-chunked-response detector throws false-positive premature-close
on reused pooled sockets). The base image node:22-bookworm-slim floated
to 22.23.0, which is why this appeared in newly built images. Pin to
22.22 (last release before the regression) until the Node 22.x patch
with nodejs/node#64004 ships.
- backstage/backstage#34651
- nodejs/node#63989
- nodejs/node#64004
Also drop the duplicated helmet/cors/compression from the root router
configure block — applyDefaults() already applies them, so they ran
twice; keep only the IDP token middleware before applyDefaults().
Signed-off-by: Kavith Lokuhewage <kaviththiranga@gmail.com>
sxa
added a commit
to sxa/node
that referenced
this pull request
Jun 22, 2026
Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) nodejs#63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) nodejs#63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) nodejs#62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) nodejs#62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) nodejs#64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) nodejs#63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) nodejs#63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) nodejs#63834 PR-URL: nodejs#64062
If you expand all comments/events on #63989 the "88 remaining items" you can see a huge surge of people reverting/blocking tracking point releases and pinning back to previous v24 and v22 point releases because of this regression. Thus the longer this fix is not out; the more people are pinning to older vulnerable node; and likely will be stuck on it - as very often when such pins are introduced, people forget to add a gate test and continuously attempt to upgrade. |
sxa
added a commit
that referenced
this pull request
Jun 22, 2026
Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) #63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) #63834 PR-URL: #64062
sxa
added a commit
that referenced
this pull request
Jun 22, 2026
Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) #63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) #63834 PR-URL: #64062
akila-i
pushed a commit
to openchoreo/backstage-plugins
that referenced
this pull request
Jun 22, 2026
…egression (#649) * fix(backend): pin Node to 22.22 to avoid node-fetch premature-close regression With authz enabled the portal showed "Failed to load platform details" and broken catalog views: the catalog's internal call to the permission backend (node-fetch@2 via cross-fetch -> /api/permission/authorize) failed with ERR_STREAM_PREMATURE_CLOSE, surfacing as a 500 on /api/catalog/entities/by-refs. Root cause is the Node 22.23.0 / 24.17.0 security fix for CVE-2026-48931 ("response queue poisoning in http.Agent"), which changed keep-alive socket-reuse behaviour and exposes a latent node-fetch@2 bug (its malformed-chunked-response detector throws false-positive premature-close on reused pooled sockets). The base image node:22-bookworm-slim floated to 22.23.0, which is why this appeared in newly built images. Pin to 22.22 (last release before the regression) until the Node 22.x patch with nodejs/node#64004 ships. - backstage/backstage#34651 - nodejs/node#63989 - nodejs/node#64004 Also drop the duplicated helmet/cors/compression from the root router configure block — applyDefaults() already applies them, so they ran twice; keep only the IDP token middleware before applyDefaults(). Signed-off-by: Kavith Lokuhewage <kaviththiranga@gmail.com> * chore: add changeset file for node version pin in backend pkg Signed-off-by: Kavith Lokuhewage <kaviththiranga@gmail.com> --------- Signed-off-by: Kavith Lokuhewage <kaviththiranga@gmail.com>
richardlau
added
backported-to-v22.x
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #63989
The response-queue-poisoning guard added to idle
http.Agentsockets used a public'data'listener. That madenode-fetch@2observesocket.listenerCount('data') > 0during response close and report falseERR_STREAM_PREMATURE_CLOSEerrors.This changes the idle-socket guard to use the socket handle's internal
onreadhook while the socket is in the free pool, restoring the normal stream read callback when the socket is reused. The guard still destroys sockets that receive unsolicited data while idle, but it no longer adds public stream listeners.