From a0d95e4050b3c36d5852813cb54c58a32ed0950f Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 5 Mar 2025 10:38:06 -0300
Subject: [PATCH 1/4] doc: add Updates on CVE to EOL blog post

Refs: https://github.com/nodejs/security-wg/issues/1443
---
 .../updates-cve-for-end-of-life.md            | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md

diff --git a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
new file mode 100644
index 0000000000000..8aa40ce817ba5
--- /dev/null
+++ b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
@@ -0,0 +1,83 @@
+---
+date: '2025-03-06T16:00:00.000Z'
+category: vulnerability
+title: Updates on CVE for End-of-Life Versions
+layout: blog-post
+author: Rafael Gonzaga
+---
+
+# Rationale for Issuing CVEs on End-of-Life Node.js Versions
+
+**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 have been
+rejected by MITRE and therefore the Node.js team decided to update previous
+CVEs to cover EOL releases, reflecting their ongoing security risks.
+
+On January 21, 2025, Node.js released security patches for four active release
+lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions:
+
+* **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x).
+* **CVE-2025-23088:** Applies to Node.js v19.
+* **CVE-2025-23089:** Applies to Node.js v21.
+
+For more details, refer to the original announcement: [Node.js Vulnerability Announcement](https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions).
+
+## Why Node.js Does Not Evaluate EOL Versions
+
+Due to resource constraints, Node.js does not assess security reports for EOL
+releases or include them in regular CVE version ranges. With over 20 EOL
+versions—each with different dependencies, build processes, and
+platform support—comprehensive vulnerability assessments are not feasible.
+
+Limiting reviews to a subset of EOL versions could lead to inaccuracies, as
+vulnerabilities may appear differently based on underlying components like OpenSSL.
+Thus, the focus remains on actively supported releases.
+
+> "Why did the Node.js project issue a CVE for all EOL releases? Because we
+don’t have the resources to evaluate every single past release to know which
+are vulnerable. Node.js is run by volunteers. We have sufficient funding to
+maintain current releases, but not beyond that. In other words, all past Node.js
+releases are vulnerable or will soon be. This CVE highlights that risk for your
+organization."
+> — Matteo Collina ([Source](https://x.com/matteocollina/status/1882892694722101326))
+
+## Purpose of Issuing These CVEs
+
+Security scanners in production environments trigger alerts when an active
+Node.js version is flagged as vulnerable, prompting an upgrade. If an EOL
+version is not listed as affected, users might mistakenly consider their setup
+secure. The Node.js Technical Steering Committee (TSC) noted that outdated
+versions, such as Node.js v16 (which, despite being EOL for over a year, still
+sees 11 million downloads per month), continue to be widely used.
+
+Assigning CVEs to EOL versions directly communicates the associated security
+risks to organizations.
+
+## Recent CVE Updates
+
+Following consultations with the CVE Program, HackerOne, and Node.js, further
+updates were made to these CVEs:
+
+* MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability.
+* A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review.
+
+Ultimately, the Board decided to **reject** these CVEs. However, this decision
+does not determine the long-term stance of the CVE Program on EOL support.
+The Board will continue discussing potential solutions for managing EOL versions.
+
+Therefore, the only *viable* solution to reflect the risk of running and EOL
+line is to update previous CVEs to cover EOL releases, reflecting
+their ongoing security risks. The process is being tracked in
+[nodejs/security-wg#1443](https://github.com/nodejs/security-wg/issues/1443).
+
+## Questions and Feedback
+
+We understand that upgrading may require effort, and we’re here to help. If you have
+any questions or need assistance, please reach out to us via:
+
+- [Node.js Help Repository](https://github.com/nodejs/help)
+
+For organizations or developers who require continued use of EOL Node.js versions,
+the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
+provides commercial support options.
+
+Thank you for your attention to this important matter.

From 60bc31c88687319710840eeef063939dd3e73769 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Thu, 6 Mar 2025 18:51:47 -0300
Subject: [PATCH 2/4] Apply suggestions from code review

Co-authored-by: Michael Dawson <mdawson@devrus.com>
Signed-off-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
---
 .../vulnerability/updates-cve-for-end-of-life.md  | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
index 8aa40ce817ba5..7ce1871b949f2 100644
--- a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
+++ b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
@@ -6,11 +6,16 @@ layout: blog-post
 author: Rafael Gonzaga
 ---
 
-# Rationale for Issuing CVEs on End-of-Life Node.js Versions
-
-**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 have been
-rejected by MITRE and therefore the Node.js team decided to update previous
-CVEs to cover EOL releases, reflecting their ongoing security risks.
+# Update on the issuance of CVEs to mark End-of-Life Node.js Versions
+
+**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to
+tag EOL versions have been rejected by MITRE.
+The Node.js team has, therefore, decided to update previous vulnerability specific
+CVEs to cover EOL releases, reflecting their ongoing security risks. This means that
+all new CVEs issued will include EOL releases in the applicability until we have specific
+information that indicates a CVE does not apply to an EOL release line. The project
+does not plan to evaluate CVEs against EOL lines but information provided to the
+project may be used to update the applicability if/when it is available.
 
 On January 21, 2025, Node.js released security patches for four active release
 lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions:

From de21e707287796223c6a58b4b5ca82b3714b9786 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Fri, 7 Mar 2025 14:07:12 -0300
Subject: [PATCH 3/4] fixup! doc: add Updates on CVE to EOL blog post

---
 .../updates-cve-for-end-of-life.md            | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
index 7ce1871b949f2..3a93e6b8cfedd 100644
--- a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
+++ b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
@@ -20,9 +20,9 @@ project may be used to update the applicability if/when it is available.
 On January 21, 2025, Node.js released security patches for four active release
 lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions:
 
-* **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x).
-* **CVE-2025-23088:** Applies to Node.js v19.
-* **CVE-2025-23089:** Applies to Node.js v21.
+- **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x).
+- **CVE-2025-23088:** Applies to Node.js v19.
+- **CVE-2025-23089:** Applies to Node.js v21.
 
 For more details, refer to the original announcement: [Node.js Vulnerability Announcement](https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions).
 
@@ -38,11 +38,11 @@ vulnerabilities may appear differently based on underlying components like OpenS
 Thus, the focus remains on actively supported releases.
 
 > "Why did the Node.js project issue a CVE for all EOL releases? Because we
-don’t have the resources to evaluate every single past release to know which
-are vulnerable. Node.js is run by volunteers. We have sufficient funding to
-maintain current releases, but not beyond that. In other words, all past Node.js
-releases are vulnerable or will soon be. This CVE highlights that risk for your
-organization."
+> don’t have the resources to evaluate every single past release to know which
+> are vulnerable. Node.js is run by volunteers. We have sufficient funding to
+> maintain current releases, but not beyond that. In other words, all past Node.js
+> releases are vulnerable or will soon be. This CVE highlights that risk for your
+> organization."
 > — Matteo Collina ([Source](https://x.com/matteocollina/status/1882892694722101326))
 
 ## Purpose of Issuing These CVEs
@@ -62,14 +62,14 @@ risks to organizations.
 Following consultations with the CVE Program, HackerOne, and Node.js, further
 updates were made to these CVEs:
 
-* MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability.
-* A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review.
+- MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability.
+- A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review.
 
 Ultimately, the Board decided to **reject** these CVEs. However, this decision
 does not determine the long-term stance of the CVE Program on EOL support.
 The Board will continue discussing potential solutions for managing EOL versions.
 
-Therefore, the only *viable* solution to reflect the risk of running and EOL
+Therefore, the only _viable_ solution to reflect the risk of running and EOL
 line is to update previous CVEs to cover EOL releases, reflecting
 their ongoing security risks. The process is being tracked in
 [nodejs/security-wg#1443](https://github.com/nodejs/security-wg/issues/1443).

From e925148c926f32cc395224428180b423ee09855d Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Fri, 7 Mar 2025 14:07:41 -0300
Subject: [PATCH 4/4] doc: update release date

---
 .../pages/en/blog/vulnerability/updates-cve-for-end-of-life.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
index 3a93e6b8cfedd..23aec38cce35e 100644
--- a/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
+++ b/apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
@@ -1,5 +1,5 @@
 ---
-date: '2025-03-06T16:00:00.000Z'
+date: '2025-03-07T16:00:00.000Z'
 category: vulnerability
 title: Updates on CVE for End-of-Life Versions
 layout: blog-post