nodejs · RafaelGSS · Mar 7, 2025 · Mar 5, 2025 · Mar 6, 2025 · Mar 7, 2025
@@ -0,0 +1,83 @@
+---
+date: '2025-03-06T16:00:00.000Z'
+category: vulnerability
+title: Updates on CVE for End-of-Life Versions
+layout: blog-post
+author: Rafael Gonzaga
+---
+
+# Rationale for Issuing CVEs on End-of-Life Node.js Versions
+
+**TL;DR:** CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 have been
+rejected by MITRE and therefore the Node.js team decided to update previous
+CVEs to cover EOL releases, reflecting their ongoing security risks.
+
+On January 21, 2025, Node.js released security patches for four active release
+lines. At the same time, CVEs were assigned to cover EOL (end-of-life) versions:
+
+* **CVE-2025-23087:** Applies to Node.js v17 and all earlier versions (including v0.x).
+* **CVE-2025-23088:** Applies to Node.js v19.
+* **CVE-2025-23089:** Applies to Node.js v21.
+
+For more details, refer to the original announcement: [Node.js Vulnerability Announcement](https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions).
+
+## Why Node.js Does Not Evaluate EOL Versions
+
+Due to resource constraints, Node.js does not assess security reports for EOL
+releases or include them in regular CVE version ranges. With over 20 EOL
+versions—each with different dependencies, build processes, and
+platform support—comprehensive vulnerability assessments are not feasible.
+
+Limiting reviews to a subset of EOL versions could lead to inaccuracies, as
+vulnerabilities may appear differently based on underlying components like OpenSSL.
+Thus, the focus remains on actively supported releases.
+
+> "Why did the Node.js project issue a CVE for all EOL releases? Because we
+don’t have the resources to evaluate every single past release to know which
+are vulnerable. Node.js is run by volunteers. We have sufficient funding to
+maintain current releases, but not beyond that. In other words, all past Node.js
+releases are vulnerable or will soon be. This CVE highlights that risk for your
+organization."
+> — Matteo Collina ([Source](https://x.com/matteocollina/status/1882892694722101326))
+
+## Purpose of Issuing These CVEs
+
+Security scanners in production environments trigger alerts when an active
+Node.js version is flagged as vulnerable, prompting an upgrade. If an EOL
+version is not listed as affected, users might mistakenly consider their setup
+secure. The Node.js Technical Steering Committee (TSC) noted that outdated
+versions, such as Node.js v16 (which, despite being EOL for over a year, still
+sees 11 million downloads per month), continue to be widely used.
+
+Assigning CVEs to EOL versions directly communicates the associated security
+risks to organizations.
+
+## Recent CVE Updates
+
+Following consultations with the CVE Program, HackerOne, and Node.js, further
+updates were made to these CVEs:
+
+* MITRE has tagged the CVEs with "unsupported when assigned" and marked them as "disputed" since they do not pinpoint a specific vulnerability.
+* A note has been added indicating that using the CVE List to report an unsupported product is a new approach under review.
+
+Ultimately, the Board decided to **reject** these CVEs. However, this decision
+does not determine the long-term stance of the CVE Program on EOL support.
+The Board will continue discussing potential solutions for managing EOL versions.
+
+Therefore, the only *viable* solution to reflect the risk of running and EOL
+line is to update previous CVEs to cover EOL releases, reflecting
+their ongoing security risks. The process is being tracked in
+[nodejs/security-wg#1443](https://github.com/nodejs/security-wg/issues/1443).
+
+## Questions and Feedback
+
+We understand that upgrading may require effort, and we’re here to help. If you have
+any questions or need assistance, please reach out to us via:
+
+- [Node.js Help Repository](https://github.com/nodejs/help)
+
+For organizations or developers who require continued use of EOL Node.js versions,
+the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
+provides commercial support options.
+
+Thank you for your attention to this important matter.