-
Notifications
You must be signed in to change notification settings - Fork 6.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
blog: add Upcoming CVE for EOL Versions post
Refs: nodejs/security-wg#1401
- Loading branch information
Showing
1 changed file
with
79 additions
and
0 deletions.
There are no files selected for viewing
79 changes: 79 additions & 0 deletions
79
apps/site/pages/en/blog/vulnerability/upcoming-cve-for-eol-versions.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| --- | ||
| date: '2025-01-14T16:00:00.000Z' | ||
| category: vulnerability | ||
| title: Upcoming CVE for End-of-Life Node.js Versions | ||
| layout: blog-post | ||
| author: The Node.js Project | ||
| --- | ||
|
|
||
| The Node.js Project is committed to ensuring the security and reliability of | ||
| applications built on Node.js. As part of this commitment, we regularly review | ||
| measures to help our users stay informed about security risks. | ||
|
|
||
| ## Announcement | ||
|
|
||
| We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for | ||
| **End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official | ||
| notification to inform users that these versions are no longer maintained and | ||
| may pose significant security risks. | ||
|
|
||
| The CVE will cite **Unsupported When Assigned** under | ||
| [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): *Use of Unmaintained Third Party Components*. | ||
| For more details on this decision, you can refer to the discussion in | ||
| [this GitHub issue](https://github.com/nodejs/security-wg/issues/1401). | ||
|
|
||
| ## Why Issue a CVE? | ||
|
|
||
| Many organizations rely on CVE notifications to track security issues across | ||
| their software stacks. By issuing a CVE for EOL versions of Node.js, we aim to: | ||
|
|
||
| * **Raise Awareness:** Inform users that running EOL versions exposes their | ||
| applications to potential vulnerabilities. | ||
| * **Encourage Upgrades:** Prompt organizations and developers to update to | ||
| actively supported Node.js versions. | ||
| * **Improve Security:** Reduce the number of applications running outdated and | ||
| unsupported versions of Node.js. | ||
|
|
||
| ## What Does This Mean for You? | ||
|
|
||
| If you are using an EOL version of Node.js, we strongly encourage you to upgrade | ||
| to a supported version immediately. You can find the list of actively supported | ||
| versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule). | ||
|
|
||
| To check which version of Node.js your application is running, execute the | ||
| following command in your terminal: | ||
|
|
||
| ```bash | ||
| node -v | ||
| ``` | ||
|
|
||
| If your version is no longer supported, please refer to our | ||
| [Migration Guide](https://nodejs.org/en/docs/guides/upgrading/) for assistance | ||
| in upgrading. | ||
|
|
||
| You can also run [`is-my-node-vulnerable`](https://github.com/RafaelGSS/is-my-node-vulnerable) | ||
| to check if you are using an EOL version or any version with an CVE issued to it. | ||
|
|
||
| ```bash | ||
| npx is-my-node-vulnerable | ||
| ``` | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| As of the date of this announcement, the following versions are actively supported: | ||
|
|
||
| * Node.js 23 (Current) | ||
| * Node.js 22 (LTS) | ||
| * Node.js 20 (Maintenance LTS) | ||
| * Node.js 18 (Maintenance LTS) | ||
|
|
||
| All other versions are no longer supported and should be considered deprecated. | ||
|
|
||
| ## Questions and Feedback | ||
|
|
||
| We understand that upgrading may require effort, and we’re here to help. If you have | ||
| any questions or need assistance, please reach out to us via: | ||
|
|
||
| * [Node.js Help Repository](https://github.com/nodejs/help) | ||
|
|
||
| Thank you for your attention to this important matter. |