nodejs · RafaelGSS · Jan 6, 2025 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024
@@ -0,0 +1,83 @@
+---
+date: '2025-01-14T16:00:00.000Z'
+category: vulnerability
+title: Upcoming CVE for End-of-Life Node.js Versions
+layout: blog-post
+author: The Node.js Project
+---
+
+The Node.js Project is committed to ensuring the security and reliability of
+applications built on Node.js. As part of this commitment, we regularly review
+measures to help our users stay informed about security risks.
+
+## Announcement
+
+We will soon issue a Common Vulnerabilities and Exposures (CVE) identifier for
+**End-of-Life (EOL)** versions of Node.js. This CVE will serve as an official
+notification to inform users that these versions are no longer maintained and
+may pose significant security risks.
+
+The CVE will cite **Unsupported When Assigned** under
+[CWE-1104](https://cwe.mitre.org/data/definitions/1104.html): *Use of Unmaintained Third Party Components*.
+For more details on this decision, you can refer to the discussion in
+[this GitHub issue](https://github.com/nodejs/security-wg/issues/1401).
+
+## Why Issue a CVE?
+
+Many organizations rely on CVE notifications to track security issues across
+their software stacks. By issuing a CVE for EOL versions of Node.js, we aim to:
+
+* **Raise Awareness:** Inform users that running EOL versions exposes their
+applications to potential vulnerabilities.
+* **Encourage Upgrades:** Prompt organizations and developers to update to
+actively supported Node.js versions.
+* **Improve Security:** Reduce the number of applications running outdated and
+unsupported versions of Node.js.
+
+## What Does This Mean for You?
+
+If you are using an EOL version of Node.js, we strongly encourage you to upgrade
+to a supported version immediately. You can find the list of actively supported
+versions and their maintenance schedules in the [Node.js Release Schedule](https://github.com/nodejs/release#release-schedule).
+
+To check which version of Node.js your application is running, execute the
+following command in your terminal:
+
+```bash
+node -v
+```
+
+If your version is no longer supported, please refer to our
+[Migration Guide](https://nodejs.org/en/docs/guides/upgrading/) for assistance
+in upgrading.
+
+You can also run [`is-my-node-vulnerable`](https://github.com/RafaelGSS/is-my-node-vulnerable)
+to check if you are using an EOL version or any version with an CVE issued to it.
+
+```bash
+npx is-my-node-vulnerable
+```
+
+## Supported Versions
+
+As of the date of this announcement, the following versions are actively supported:
+
+* Node.js 23 (Current)
+* Node.js 22 (LTS)
+* Node.js 20 (Maintenance LTS)
+* Node.js 18 (Maintenance LTS)
+
+All other versions are no longer supported and should be considered deprecated.
+
+## Questions and Feedback
+
+We understand that upgrading may require effort, and we’re here to help. If you have
+any questions or need assistance, please reach out to us via:
+
+* [Node.js Help Repository](https://github.com/nodejs/help)
+
+For organizations or developers who require continued use of EOL Node.js versions,
+the [OpenJS Ecosystem Sustainability Program](https://nodejs.org/en/about/previous-releases#commercial-support)
+provides commercial support options.
+
+Thank you for your attention to this important matter.