Skip to main content
Version: v1

Node v0.22.1 release notes

For the complete documentation index, see llms.txt
  • Version: v0.22.1
  • Date: March 19, 2026
  • Environment: All public networks

High-level summary

This is a security patch release addressing a Yamux networking vulnerability and restricting peer info RPC methods to unsafe-only access. This is a node-only upgrade with no runtime changes and is backward compatible with node-0.22.0.

Audience

This release note is relevant for users who:

  • Run Midnight node infrastructure or validator operations (binary restart required)
  • Use peer-info RPC methods such as network_peerReputations, network_peerReputation, or network_unbanPeer

What changed (Summary of updates)

The updates below describe the key changes introduced in this release.

  • Fixed Yamux vulnerability (GHSA-vxx9-2994-q338)
  • Restricted peer-info RPC methods to unsafe-only access

New features

No new features were introduced in this release.

Improvements

This release includes reliability and performance improvements across runtime behavior, query paths, toolkit workflows, and release engineering.

Yamux vulnerability fix

A malicious peer could crash a node by sending crafted Yamux frames that trigger a panic via overflow in increase_send_window_by.

This release:

  • Bumps yamux 0.13.8 to 0.13.10
  • Patches yamux 0.12.1 to 0.12.2 via a custom fork, since upstream 0.12.x has no fix
  • Adds regression tests for overflow and oversized-frame panic scenarios

Advisory: GHSA-vxx9-2994-q338

Peer info RPC methods restricted

The network_peerReputations, network_peerReputation, and network_unbanPeer RPC methods now require --rpc-methods unsafe to be called. This prevents exposure of peer reputation data and peer management on public-facing RPC endpoints.

Breaking changes

No breaking changes, except for users calling network_peerReputations, network_peerReputation, or network_unbanPeer. These methods now require --rpc-methods unsafe to be exposed via the node.