-
Notifications
You must be signed in to change notification settings - Fork 6.5k
doc: add Updates on CVE to EOL blog post #7537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
83 changes: 83 additions & 0 deletions
83
apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| --- | ||
| date: '2025-03-06T16:00:00.000Z' | ||
| category: vulnerability | ||
| title: Updates on CVE for End-of-Life Versions | ||
| layout: blog-post | ||
| author: Rafael Gonzaga | ||
| --- | ||
|
|
||
| # Rationale for Issuing CVEs on End-of-Life Node.js Versions | ||
|
|
||
| **TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 have been | ||
| rejected by MITRE and therefore the Node.js team decided to update previous | ||
| CVEs to cover EOL releases, reflecting their ongoing security risks. | ||
|
RafaelGSS marked this conversation as resolved.
Outdated
|
||
|
|
||
| On January 21, 2025, Node.js released security patches for four active release | ||
| lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions: | ||
|
|
||
| * **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x). | ||
| * **CVE-2025-23088:** Applies to Node.js v19. | ||
| * **CVE-2025-23089:** Applies to Node.js v21. | ||
|
|
||
| For more details, refer to the original announcement: [Node.js Vulnerability Announcement](https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions). | ||
|
|
||
| ## Why Node.js Does Not Evaluate EOL Versions | ||
|
|
||
| Due to resource constraints, Node.js does not assess security reports for EOL | ||
| releases or include them in regular CVE version ranges. With over 20 EOL | ||
| versions—each with different dependencies, build processes, and | ||
| platform support—comprehensive vulnerability assessments are not feasible. | ||
|
|
||
| Limiting reviews to a subset of EOL versions could lead to inaccuracies, as | ||
| vulnerabilities may appear differently based on underlying components like OpenSSL. | ||
| Thus, the focus remains on actively supported releases. | ||
|
|
||
| > "Why did the Node.js project issue a CVE for all EOL releases? Because we | ||
| don’t have the resources to evaluate every single past release to know which | ||
| are vulnerable. Node.js is run by volunteers. We have sufficient funding to | ||
| maintain current releases, but not beyond that. In other words, all past Node.js | ||
| releases are vulnerable or will soon be. This CVE highlights that risk for your | ||
| organization." | ||
| > — Matteo Collina ([Source](https://x.com/matteocollina/status/1882892694722101326)) | ||
|
|
||
| ## Purpose of Issuing These CVEs | ||
|
|
||
| Security scanners in production environments trigger alerts when an active | ||
| Node.js version is flagged as vulnerable, prompting an upgrade. If an EOL | ||
| version is not listed as affected, users might mistakenly consider their setup | ||
| secure. The Node.js Technical Steering Committee (TSC) noted that outdated | ||
| versions, such as Node.js v16 (which, despite being EOL for over a year, still | ||
| sees 11 million downloads per month), continue to be widely used. | ||
|
|
||
| Assigning CVEs to EOL versions directly communicates the associated security | ||
| risks to organizations. | ||
|
|
||
| ## Recent CVE Updates | ||
|
|
||
| Following consultations with the CVE Program, HackerOne, and Node.js, further | ||
| updates were made to these CVEs: | ||
|
|
||
| * MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability. | ||
| * A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review. | ||
|
|
||
| Ultimately, the Board decided to **reject** these CVEs. However, this decision | ||
| does not determine the long-term stance of the CVE Program on EOL support. | ||
| The Board will continue discussing potential solutions for managing EOL versions. | ||
|
|
||
| Therefore, the only *viable* solution to reflect the risk of running and EOL | ||
| line is to update previous CVEs to cover EOL releases, reflecting | ||
| their ongoing security risks. The process is being tracked in | ||
| [nodejs/security-wg#1443](https://github.com/nodejs/security-wg/issues/1443). | ||
|
|
||
| ## Questions and Feedback | ||
|
|
||
| We understand that upgrading may require effort, and we’re here to help. If you have | ||
| any questions or need assistance, please reach out to us via: | ||
|
|
||
| - [Node.js Help Repository](https://github.com/nodejs/help) | ||
|
|
||
| For organizations or developers who require continued use of EOL Node.js versions, | ||
| the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support) | ||
| provides commercial support options. | ||
|
|
||
| Thank you for your attention to this important matter. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.