Node.js Just Extended the Range of 97 CVEs on EOL Versions. Still Think You're Safe?
The Node.js project is now assigning CVEs to unsupported versions, like 16 and 14.. If you're still running EOL Node, it's time to take action.
.png)
In May 2025, the Node.js team extended the range of 97 existing CVEs targeting the end-of-life (EOL) versions, ranging from Node 4 to Node 16.
These vulnerabilities are real. They’re public. And they impact code still running in production across thousands of teams.
But there’s no official patch.
The Node.js project no longer provides security updates for these versions due to resource constraints. That means teams still on EOL Node are facing documented vulnerabilities, with no core team support.
Why This Matters
Until now, some teams assumed EOL meant “quiet.” No more updates. No more noise.
That assumption is no longer safe.
These 97 CVEs are now visible to scanners, auditors, and security teams. If you’re running an affected version, it’s likely already triggering compliance flags and risk reports.
Without official fixes, your team is responsible for responding or finding another way to stay covered.
Why Teams Haven’t Migrated Yet
In most cases, it’s not negligence. It’s reality.
- Migration timelines slipped.
- Dependency chains weren’t ready.
- QA teams were focused on product releases.
- Refactoring created unexpected risk or instability.
Many teams are still actively working through their migration, but they’re not done. Now, they’re facing a wave of unpatched CVEs mid-process.
How HeroDevs Helps
HeroDevs provides Never-Ending Support (NES) for end-of-life Node.js versions—including 16 and 18.
With Node.js NES, you get:
- Ongoing security patches for known CVEs
- Support to meet compliance requirements
- Breathing room to complete your migration without unnecessary risk
This isn’t a workaround. It’s a legitimate support path for teams with real-world constraints who must keep systems secure while transitioning forward.
What Now
The equation has changed if you’re running Node 16 or 18 in production.
You can:
- Accept the risk of running unpatched, unsupported software
- Rush a migration under pressure
- Or stabilize your current setup with Node.js NES while migrating on your timeline
If your application is still running on Node 14, 16 or 18, you’re operating with known, unpatched vulnerabilities. While that may be acceptable for some teams in the short term, it should be a deliberate, documented risk decision, not an accidental one.
Whether you're planning to migrate soon or working through blockers, now is the time to re-evaluate how you're protecting your stack in the interim.
The visibility is here. So is the risk.
.png)
.png)
.png)