In a significant move to bolster security and encourage users to stay up-to-date, the Node.js Project has announced it will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for all End-of-Life (EOL) versions of Node.js.
“The Node.js Project is committed to ensuring the security and reliability of applications built on Node.js,” the official announcement states. “As part of this commitment, we regularly review measures to help our users stay informed about security risks.”
This CVE will act as a formal alert, notifying users that EOL versions are no longer maintained and may contain critical security vulnerabilities. It will cite “Unsupported When Assigned” under CWE-1104: Use of Unmaintained Third Party Components.
Many organizations rely on CVE notifications to manage security vulnerabilities across their software infrastructure. While Node.js diligently addresses and discloses vulnerabilities in actively supported versions, EOL versions have historically not received CVEs. By issuing a CVE for EOL versions, the project aims to:
- Raise Awareness: Inform users about the potential dangers of running EOL versions.
- Encourage Upgrades: Motivate organizations and developers to transition to supported Node.js releases.
- Improve Security: Reduce the overall number of applications running outdated and vulnerable versions of Node.js.
This decision is particularly relevant considering the widespread use of EOL versions. Surprisingly, Node.js v16, despite reaching EOL over a year ago, still records an astounding 11 million downloads per month.
If you’re currently using an EOL version of Node.js, it’s crucial to upgrade to a supported version immediately. You can find the list of active versions and their maintenance schedules on the official Node.js Release Schedule.
To determine the Node.js version your application is using, simply run the command node -v in your terminal. You can also use the is-my-node-vulnerable tool to check if your version has any associated CVEs.
As of today, the following Node.js versions are actively supported:
- Node.js 23 (Current)
- Node.js 22 (LTS)
- Node.js 20 (Maintenance LTS)
- Node.js 18 (Maintenance LTS)
All other versions are considered deprecated and should be upgraded.
