In a significant shift in its vulnerability management approach, the Node.js team has decided to extend Common Vulnerabilities and Exposures (CVE) coverage to End-of-Life (EOL) versions of Node.js. This decision follows the rejection of three CVEs—CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089—by MITRE, the organization responsible for overseeing the CVE program.
Node.js has not evaluated EOL versions for vulnerabilities due to resource constraints. As the Node.js team explained, “Due to resource constraints, Node.js does not assess security reports for EOL releases or include them in regular CVE version ranges.” With over 20 EOL versions, each with varying dependencies and platform support, conducting thorough vulnerability assessments is impractical.
However, the ongoing use of outdated versions has raised concerns. Node.js v16, for instance, has been EOL for over a year yet still registers 11 million downloads per month. The project’s leadership fears that organizations relying on security scanners might incorrectly assume their EOL versions are secure if they do not appear in CVE lists.
On January 21, 2025, Node.js released security patches for four actively supported release lines and, at the same time, assigned CVEs to EOL versions to raise awareness of their security risks. These include:
- CVE-2025-23087: Applies to Node.js v17 and all earlier versions (including v0.x).
- CVE-2025-23088: Applies to Node.js v19.
- CVE-2025-23089: Applies to Node.js v21.
Following discussions with the CVE Program, HackerOne, and the Node.js team, MITRE has rejected these CVEs, marking them as “disputed.” The reason? The CVEs do not point to a specific vulnerability but rather highlight the general insecurity of using outdated versions. MITRE has tagged them as “unsupported when assigned” and added a note stating that “using the CVE List to report an unsupported product is a new approach under review.”
Despite this rejection, the Node.js team remains firm in its stance. “Why did the Node.js project issue a CVE for all EOL releases? Because we don’t have the resources to evaluate every single past release to know which are vulnerable,” said Node.js Technical Steering Committee (TSC) member Matteo Collina. “In other words, all past Node.js releases are vulnerable or will soon be. This CVE highlights that risk for your organization.”
Rather than individually assessing EOL versions, the Node.js team has chosen to update previous vulnerability-specific CVEs to explicitly include EOL releases in their applicability. Moving forward, all newly issued CVEs will also extend to EOL versions unless specific information proves otherwise. However, the project does not plan to proactively evaluate EOL releases unless new data emerges that necessitates an update.
While MITRE’s decision does not currently endorse this approach, it leaves the door open for further discussions on handling security disclosures for unsupported software versions. The broader cybersecurity community, especially organizations that still rely on legacy Node.js installations, will need to consider alternative security strategies to mitigate risks associated with running outdated software.
