Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

blog: add Upcoming CVE for EOL Versions post #7328

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
---
date: '2025-01-14T16:00:00.000Z'
category: vulnerability
title: Upcoming CVE for End-of-Life Node.js Versions
layout: blog-post
author: The Node.js Project
---

The Node.js Project is committed to ensuring the security and reliability of
applications built on Node.js. As part of this commitment, we regularly review
measures to help our users stay informed about security risks.

## Announcement

We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for
**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official
notification to inform users that these versions are no longer maintained and
may pose significant security risks.

The CVE will cite **Unsupported When Assigned** under
[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): *Use of Unmaintained Third Party Components*.
For more details on this decision, you can refer to the discussion in
[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401).

## Why Issue a CVE?

Many organizations rely on CVE notifications to track security issues across
their software stacks. The Node.js project guarantee a timely resolution and disclosure
RafaelGSS marked this conversation as resolved.
Show resolved Hide resolved
for all reported vulnerabilities for the _maintained_ release lines.
However, we do not issue CVEs for EOL release lines.
By issuing a CVE for EOL versions of Node.js, we aim to:

* **Raise Awareness:** Inform users that running EOL versions exposes their
applications to potential vulnerabilities.
* **Encourage Upgrades:** Prompt organizations and developers to update to
actively supported Node.js versions.
* **Improve Security:** Reduce the number of applications running outdated and
unsupported versions of Node.js.
RafaelGSS marked this conversation as resolved.
Show resolved Hide resolved

> Node.js v16, despite being EOL for over a year, has still 11 million downloads per month.

## What Does This Mean for You?

If you are using an EOL version of Node.js, we strongly encourage you to upgrade
to a supported version immediately. You can find the list of actively supported
versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule).

To check which version of Node.js your application is running, execute the
following command in your terminal:

```bash
node -v
```

If your version is no longer supported, please refer to our
[Migration Guide](https://nodejs.org/en/docs/guides/upgrading/) for assistance
in upgrading.

You can also run [`is-my-node-vulnerable`](https://github.com/RafaelGSS/is-my-node-vulnerable)
RafaelGSS marked this conversation as resolved.
Show resolved Hide resolved
to check if you are using an EOL version or any version with an CVE issued to it.

```bash
npx is-my-node-vulnerable
```

## Supported Versions

As of the date of this announcement, the following versions are actively supported:

* Node.js 23 (Current)
* Node.js 22 (LTS)
* Node.js 20 (Maintenance LTS)
* Node.js 18 (Maintenance LTS)

All other versions are no longer supported and should be considered deprecated.

## Questions and Feedback

We understand that upgrading may require effort, and we’re here to help. If you have
any questions or need assistance, please reach out to us via:

bmuenzenmeyer marked this conversation as resolved.
Show resolved Hide resolved
* [Node.js Help Repository](https://github.com/nodejs/help)

For organizations or developers who require continued use of EOL Node.js versions,
the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
provides commercial support options.

Thank you for your attention to this important matter.
Loading