Upcoming CVE for End-of-Life Node.js Versions

The Node.js Project

The Node.js Project is committed to ensuring the security and reliability of applications built on Node.js. As part of this commitment, we regularly review measures to help our users stay informed about security risks.

Announcement

We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for End-of-Life (EOL) versions of Node.js. This CVE will serve as an official notification to inform users that these versions are no longer maintained and may pose significant security risks.

The CVE will cite Unsupported When Assigned under CWE-1104: Use of Unmaintained Third Party Components. For more details on this decision, you can refer to the discussion in this GitHub issue.

Why Issue a CVE?

Many organizations rely on CVE notifications to track security issues across their software stacks. The Node.js project aims for a timely resolution and disclosure for all reported vulnerabilities for the maintained release lines. However, we do not issue CVEs for EOL release lines. By issuing a CVE for EOL versions of Node.js, we aim to:

  • Raise Awareness: Inform users that running EOL versions exposes their applications to potential vulnerabilities.
  • Encourage Upgrades: Prompt organizations and developers to update to actively supported Node.js versions.
  • Improve Security: Reduce the number of applications running outdated and unsupported versions of Node.js.

Node.js v16, despite being EOL for over a year, has still 11 million downloads per month.

What Does This Mean for You?

If you are using an EOL version of Node.js, we strongly encourage you to upgrade to a supported version immediately. You can find the list of actively supported versions and their maintenance schedules in the Node.js Release Schedule.

To check which version of Node.js your application is running, execute the following command in your terminal:

node -v

If your version is no longer supported, please refer to our Migration Guide for assistance in upgrading.

You can also run is-my-node-vulnerable to check if you are using an EOL version or any version with an CVE issued to it.

npx is-my-node-vulnerable

Supported Versions

As of the date of this announcement, the following versions are actively supported:

  • Node.js 23 (Current)
  • Node.js 22 (LTS)
  • Node.js 20 (Maintenance LTS)
  • Node.js 18 (Maintenance LTS)

All other versions are no longer supported and should be considered deprecated.

Questions and Feedback

We understand that upgrading may require effort, and we’re here to help. If you have any questions or need assistance, please reach out to us via:

For organizations or developers who require continued use of EOL Node.js versions, the OpenJS Ecosystem Sustainability Program provides commercial support options.

Thank you for your attention to this important matter.