|
| 1 | +--- |
| 2 | +date: '2025-01-06:00:00.000Z' |
| 3 | +category: vulnerability |
| 4 | +title: Upcoming CVE for End-of-Life Node.js Versions |
| 5 | +layout: blog-post |
| 6 | +author: The Node.js Project |
| 7 | +--- |
| 8 | + |
| 9 | +The Node.js Project is committed to ensuring the security and reliability of |
| 10 | +applications built on Node.js. As part of this commitment, we regularly review |
| 11 | +measures to help our users stay informed about security risks. |
| 12 | + |
| 13 | +## Announcement |
| 14 | + |
| 15 | +We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for |
| 16 | +**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official |
| 17 | +notification to inform users that these versions are no longer maintained and |
| 18 | +may pose significant security risks. |
| 19 | + |
| 20 | +The CVE will cite **Unsupported When Assigned** under |
| 21 | +[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): _Use of Unmaintained Third Party Components_. |
| 22 | +For more details on this decision, you can refer to the discussion in |
| 23 | +[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401). |
| 24 | + |
| 25 | +## Why Issue a CVE? |
| 26 | + |
| 27 | +Many organizations rely on CVE notifications to track security issues across |
| 28 | +their software stacks. The Node.js project aims for a timely resolution and disclosure |
| 29 | +for all reported vulnerabilities for the _maintained_ release lines. |
| 30 | +However, we do not issue CVEs for EOL release lines. |
| 31 | +By issuing a CVE for EOL versions of Node.js, we aim to: |
| 32 | + |
| 33 | +- **Raise Awareness:** Inform users that running EOL versions exposes their |
| 34 | + applications to potential vulnerabilities. |
| 35 | +- **Encourage Upgrades:** Prompt organizations and developers to update to |
| 36 | + actively supported Node.js versions. |
| 37 | +- **Improve Security:** Reduce the number of applications running outdated and |
| 38 | + unsupported versions of Node.js. |
| 39 | + |
| 40 | +> Node.js v16, despite being EOL for over a year, has still 11 million downloads per month. |
| 41 | +
|
| 42 | +## What Does This Mean for You? |
| 43 | + |
| 44 | +If you are using an EOL version of Node.js, we strongly encourage you to upgrade |
| 45 | +to a supported version immediately. You can find the list of actively supported |
| 46 | +versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule). |
| 47 | + |
| 48 | +To check which version of Node.js your application is running, execute the |
| 49 | +following command in your terminal: |
| 50 | + |
| 51 | +```bash |
| 52 | +node -v |
| 53 | +``` |
| 54 | + |
| 55 | +You can also run [`is-my-node-vulnerable`](https://github.com/nodejs/is-my-node-vulnerable) |
| 56 | +to check if you are using an EOL version or any version with an CVE issued to it. |
| 57 | + |
| 58 | +```bash |
| 59 | +npx is-my-node-vulnerable |
| 60 | +``` |
| 61 | + |
| 62 | +## Supported Versions |
| 63 | + |
| 64 | +As of the date of this announcement, the following versions are actively supported: |
| 65 | + |
| 66 | +- Node.js 23 (Current) |
| 67 | +- Node.js 22 (LTS) |
| 68 | +- Node.js 20 (Maintenance LTS) |
| 69 | +- Node.js 18 (Maintenance LTS) |
| 70 | + |
| 71 | +All other versions are no longer supported and should be considered deprecated. |
| 72 | + |
| 73 | +## Questions and Feedback |
| 74 | + |
| 75 | +We understand that upgrading may require effort, and we’re here to help. If you have |
| 76 | +any questions or need assistance, please reach out to us via: |
| 77 | + |
| 78 | +- [Node.js Help Repository](https://github.com/nodejs/help) |
| 79 | + |
| 80 | +For organizations or developers who require continued use of EOL Node.js versions, |
| 81 | +the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support) |
| 82 | +provides commercial support options. |
| 83 | + |
| 84 | +Thank you for your attention to this important matter. |
0 commit comments