Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add Updates on CVE to EOL blog post #7537

Merged
merged 4 commits into from
Mar 7, 2025
+88 −0
Merged

doc: add Updates on CVE to EOL blog post #7537

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a0d95e4
doc: add Updates on CVE to EOL blog post
RafaelGSS Mar 5, 2025
60bc31c
Apply suggestions from code review
RafaelGSS Mar 6, 2025
de21e70
fixup! doc: add Updates on CVE to EOL blog post
RafaelGSS Mar 7, 2025
e925148
doc: update release date
RafaelGSS Mar 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions apps/site/pages/en/blog/vulnerability/updates-cve-for-end-of-life.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
---
date: '2025-03-07T16:00:00.000Z'
category: vulnerability
title: Updates on CVE for End-of-Life Versions
layout: blog-post
author: Rafael Gonzaga
---

# Update on the issuance of CVEs to mark End-of-Life Node.js Versions

**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to
tag EOL versions have been rejected by MITRE.
The Node.js team has, therefore, decided to update previous vulnerability specific
CVEs to cover EOL releases, reflecting their ongoing security risks. This means that
all new CVEs issued will include EOL releases in the applicability until we have specific
information that indicates a CVE does not apply to an EOL release line. The project
does not plan to evaluate CVEs against EOL lines but information provided to the
project may be used to update the applicability if/when it is available.

On January 21, 2025, Node.js released security patches for four active release
lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions:

- **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x).
- **CVE-2025-23088:** Applies to Node.js v19.
- **CVE-2025-23089:** Applies to Node.js v21.

For more details, refer to the original announcement: [Node.js Vulnerability Announcement](https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions).

## Why Node.js Does Not Evaluate EOL Versions

Due to resource constraints, Node.js does not assess security reports for EOL
releases or include them in regular CVE version ranges. With over 20 EOL
versions—each with different dependencies, build processes, and
platform support—comprehensive vulnerability assessments are not feasible.

Limiting reviews to a subset of EOL versions could lead to inaccuracies, as
vulnerabilities may appear differently based on underlying components like OpenSSL.
Thus, the focus remains on actively supported releases.

> "Why did the Node.js project issue a CVE for all EOL releases? Because we
> don’t have the resources to evaluate every single past release to know which
> are vulnerable. Node.js is run by volunteers. We have sufficient funding to
> maintain current releases, but not beyond that. In other words, all past Node.js
> releases are vulnerable or will soon be. This CVE highlights that risk for your
> organization."
> — Matteo Collina ([Source](https://x.com/matteocollina/status/1882892694722101326))

## Purpose of Issuing These CVEs

Security scanners in production environments trigger alerts when an active
Node.js version is flagged as vulnerable, prompting an upgrade. If an EOL
version is not listed as affected, users might mistakenly consider their setup
secure. The Node.js Technical Steering Committee (TSC) noted that outdated
versions, such as Node.js v16 (which, despite being EOL for over a year, still
sees 11 million downloads per month), continue to be widely used.

Assigning CVEs to EOL versions directly communicates the associated security
risks to organizations.

## Recent CVE Updates

Following consultations with the CVE Program, HackerOne, and Node.js, further
updates were made to these CVEs:

- MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability.
- A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review.

Ultimately, the Board decided to **reject** these CVEs. However, this decision
does not determine the long-term stance of the CVE Program on EOL support.
The Board will continue discussing potential solutions for managing EOL versions.

Therefore, the only _viable_ solution to reflect the risk of running and EOL
line is to update previous CVEs to cover EOL releases, reflecting
their ongoing security risks. The process is being tracked in
[nodejs/security-wg#1443](https://github.com/nodejs/security-wg/issues/1443).

## Questions and Feedback

We understand that upgrading may require effort, and we’re here to help. If you have
any questions or need assistance, please reach out to us via:

- [Node.js Help Repository](https://github.com/nodejs/help)

For organizations or developers who require continued use of EOL Node.js versions,
the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
provides commercial support options.

Thank you for your attention to this important matter.
Loading