|
| 1 | +--- |
| 2 | +date: '2025-03-07T16:00:00.000Z' |
| 3 | +category: vulnerability |
| 4 | +title: Updates on CVE for End-of-Life Versions |
| 5 | +layout: blog-post |
| 6 | +author: Rafael Gonzaga |
| 7 | +--- |
| 8 | + |
| 9 | +# Update on the issuance of CVEs to mark End-of-Life Node.js Versions |
| 10 | + |
| 11 | +**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to |
| 12 | +tag EOL versions have been rejected by MITRE. |
| 13 | +The Node.js team has, therefore, decided to update previous vulnerability specific |
| 14 | +CVEs to cover EOL releases, reflecting their ongoing security risks. This means that |
| 15 | +all new CVEs issued will include EOL releases in the applicability until we have specific |
| 16 | +information that indicates a CVE does not apply to an EOL release line. The project |
| 17 | +does not plan to evaluate CVEs against EOL lines but information provided to the |
| 18 | +project may be used to update the applicability if/when it is available. |
| 19 | + |
| 20 | +On January 21, 2025, Node.js released security patches for four active release |
| 21 | +lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions: |
| 22 | + |
| 23 | +- **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x). |
| 24 | +- **CVE-2025-23088:** Applies to Node.js v19. |
| 25 | +- **CVE-2025-23089:** Applies to Node.js v21. |
| 26 | + |
| 27 | +For more details, refer to the original announcement: [Node.js Vulnerability Announcement](https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions). |
| 28 | + |
| 29 | +## Why Node.js Does Not Evaluate EOL Versions |
| 30 | + |
| 31 | +Due to resource constraints, Node.js does not assess security reports for EOL |
| 32 | +releases or include them in regular CVE version ranges. With over 20 EOL |
| 33 | +versions—each with different dependencies, build processes, and |
| 34 | +platform support—comprehensive vulnerability assessments are not feasible. |
| 35 | + |
| 36 | +Limiting reviews to a subset of EOL versions could lead to inaccuracies, as |
| 37 | +vulnerabilities may appear differently based on underlying components like OpenSSL. |
| 38 | +Thus, the focus remains on actively supported releases. |
| 39 | + |
| 40 | +> "Why did the Node.js project issue a CVE for all EOL releases? Because we |
| 41 | +> don’t have the resources to evaluate every single past release to know which |
| 42 | +> are vulnerable. Node.js is run by volunteers. We have sufficient funding to |
| 43 | +> maintain current releases, but not beyond that. In other words, all past Node.js |
| 44 | +> releases are vulnerable or will soon be. This CVE highlights that risk for your |
| 45 | +> organization." |
| 46 | +> — Matteo Collina ([Source](https://x.com/matteocollina/status/1882892694722101326)) |
| 47 | +
|
| 48 | +## Purpose of Issuing These CVEs |
| 49 | + |
| 50 | +Security scanners in production environments trigger alerts when an active |
| 51 | +Node.js version is flagged as vulnerable, prompting an upgrade. If an EOL |
| 52 | +version is not listed as affected, users might mistakenly consider their setup |
| 53 | +secure. The Node.js Technical Steering Committee (TSC) noted that outdated |
| 54 | +versions, such as Node.js v16 (which, despite being EOL for over a year, still |
| 55 | +sees 11 million downloads per month), continue to be widely used. |
| 56 | + |
| 57 | +Assigning CVEs to EOL versions directly communicates the associated security |
| 58 | +risks to organizations. |
| 59 | + |
| 60 | +## Recent CVE Updates |
| 61 | + |
| 62 | +Following consultations with the CVE Program, HackerOne, and Node.js, further |
| 63 | +updates were made to these CVEs: |
| 64 | + |
| 65 | +- MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability. |
| 66 | +- A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review. |
| 67 | + |
| 68 | +Ultimately, the Board decided to **reject** these CVEs. However, this decision |
| 69 | +does not determine the long-term stance of the CVE Program on EOL support. |
| 70 | +The Board will continue discussing potential solutions for managing EOL versions. |
| 71 | + |
| 72 | +Therefore, the only _viable_ solution to reflect the risk of running and EOL |
| 73 | +line is to update previous CVEs to cover EOL releases, reflecting |
| 74 | +their ongoing security risks. The process is being tracked in |
| 75 | +[nodejs/security-wg#1443](https://github.com/nodejs/security-wg/issues/1443). |
| 76 | + |
| 77 | +## Questions and Feedback |
| 78 | + |
| 79 | +We understand that upgrading may require effort, and we’re here to help. If you have |
| 80 | +any questions or need assistance, please reach out to us via: |
| 81 | + |
| 82 | +- [Node.js Help Repository](https://github.com/nodejs/help) |
| 83 | + |
| 84 | +For organizations or developers who require continued use of EOL Node.js versions, |
| 85 | +the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support) |
| 86 | +provides commercial support options. |
| 87 | + |
| 88 | +Thank you for your attention to this important matter. |
0 commit comments