Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-23087

Affects
Node.js
<= 17.9.1
in
Node.js
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

The Node.js Project issued a CVE for End-of-Life (EOL) versions of Node.js. This CVE aims to raise awareness about the risks of running unsupported versions and to encourage users to upgrade to actively maintained releases, given that v16 and v14 which are still widely used.

Vulnerability Info

The CVE will serve as an official acknowledgment that EOL versions of Node.js are no longer maintained and may expose users to significant security vulnerabilities. It will cite Unsupported When Assigned under CWE-1104: Use of Unmaintained Third Party Components. This classification highlights the inherent risks of relying on outdated software. All versions of Node.js before v18 are to be considered vulnerable. The Node.js team does not test the reproducibility of new CVEs on EOL versions.

Many of the core dependencies of Node.js have released several CVE that might affect EOL versions.

OpenSSL

Older versions of Node.js before v17  rely on OpenSSL v1, which has itself reached end-of-life. OpenSSL v1 is known to have several high  security vulnerabilities.

This is particularly risky because Node.js depends on OpenSSL for all cryptographic operations, making these versions especially susceptible to exploitation.

Some of the OpenSSL vulnerabilities that might affect EOL versions of  Node.js are:

llhttp

A web application running an EOL version of Node.js may rely on a vulnerable version of llhttp, the HTTP parser. This exposes the server to risks such as HTTP request smuggling and denial-of-service attacks. An attacker could exploit these vulnerabilities by crafting and sending malicious HTTP packets.

Some of the vulnerabilities that might affect EOL versions of  Node.js are:

Several other libraries used in Node.js have released CVEs that might affect users:

Mitigation

To mitigate these Node.js security risks, users should take one of the following steps:

  • Move to secure versions of Node.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
HD-2024-1409
HD-2024-1408
HD-2024-1407
CVE-2025-23087
CVE-2025-23088
CVE-2025-23089
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-23087
PROJECT Affected
Node.js
Versions Affected
<= 17.9.1
Published date
January 21, 2025
≈ Fix date
January 21, 2025
Fixed in
Node.js NES
Severity
High
Category