nodejs · RafaelGSS · Jan 6, 2025 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024
@@ -0,0 +1,84 @@
+---
+date: '2025-01-06:00:00.000Z'
+category: vulnerability
+title: Upcoming CVE for End-of-Life Node.js Versions
+layout: blog-post
+author: The Node.js Project
+---
+
+The Node.js Project is committed to ensuring the security and reliability of
+applications built on Node.js. As part of this commitment, we regularly review
+measures to help our users stay informed about security risks.
+
+## Announcement
+
+We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for
+**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official
+notification to inform users that these versions are no longer maintained and
+may pose significant security risks.
+
+The CVE will cite **Unsupported When Assigned** under
+[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): _Use of Unmaintained Third Party Components_.
+For more details on this decision, you can refer to the discussion in
+[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401).
+
+## Why Issue a CVE?
+
+Many organizations rely on CVE notifications to track security issues across
+their software stacks. The Node.js project aims for a timely resolution and disclosure
+for all reported vulnerabilities for the _maintained_ release lines.
+However, we do not issue CVEs for EOL release lines.
+By issuing a CVE for EOL versions of Node.js, we aim to:
+
+- **Raise Awareness:** Inform users that running EOL versions exposes their
+  applications to potential vulnerabilities.
+- **Encourage Upgrades:** Prompt organizations and developers to update to
+  actively supported Node.js versions.
+- **Improve Security:** Reduce the number of applications running outdated and
+  unsupported versions of Node.js.
+
+> Node.js v16, despite being EOL for over a year, has still 11 million downloads per month.
+
+## What Does This Mean for You?
+
+If you are using an EOL version of Node.js, we strongly encourage you to upgrade
+to a supported version immediately. You can find the list of actively supported
+versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule).
+
+To check which version of Node.js your application is running, execute the
+following command in your terminal:
+
+```bash
+node -v
+```
+
+You can also run [`is-my-node-vulnerable`](https://github.com/nodejs/is-my-node-vulnerable)
+to check if you are using an EOL version or any version with an CVE issued to it.
+
+```bash
+npx is-my-node-vulnerable
+```
+
+## Supported Versions
+
+As of the date of this announcement, the following versions are actively supported:
+
+- Node.js 23 (Current)
+- Node.js 22 (LTS)
+- Node.js 20 (Maintenance LTS)
+- Node.js 18 (Maintenance LTS)
+
+All other versions are no longer supported and should be considered deprecated.
+
+## Questions and Feedback
+
+We understand that upgrading may require effort, and we’re here to help. If you have
+any questions or need assistance, please reach out to us via:
+
+- [Node.js Help Repository](https://github.com/nodejs/help)
+
+For organizations or developers who require continued use of EOL Node.js versions,
+the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
+provides commercial support options.
+
+Thank you for your attention to this important matter.