Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
node.js Number Of NVD 152 CRITICAL 13 HIGH 92 MEDIUM 45 LOW 2
URL https://nodejs.org/
Explanation Node.js releases a major version every 6 months.

The status of each version includes

Current : Added features

Active LTS : New stable features, bug fixes, and other updates are made by the LTS team.

Maintenance LTS : New features are added, major bug fixes and security updates are made by the LTS team. New features will only be added if they can be migrated to subsequent versions.

Odd-numbered releases (9, 11, etc.) will be Current and will be supported by the developers for 6 months only.
Even-numbered releases (10, 12, etc.) will be released after support for odd-numbered releases expires, and will be supported as Current for 6 months by the developers.
After 6 months of even-numbered releases, the system will move to Active LTS for 12 months and become generally available.
After the end of Active LTS, the system will move to Maintenance LTS for 12 months.
Even-numbered releases are usually guaranteed to have critical bugs fixed for a total of 30 months.

Only Active LTS and Maintenance LTS Node.js should be used in commercial products.
Tag
  • MIT License
  • Javascript

Add Information URL
No Type Name URL
1 https://nodejs.org/en/blog/
2 https://nodejs.org/en/blog/release/
3 https://nodejs.org/en/about/releases/
4 https://github.com/nodejs/Release

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
111 New!! Node.js 26 26.5.0 July 8, 2026 May 5, 2026 Oct. 20, 2027 April 30, 2029 0 1 1 1
112 Node.js 22 v22.6.0 Aug. 6, 2024 June 11, 2024 0 1 1 1
113 Node.js 21 21.7.3 April 10, 2024 Oct. 17, 2023 0 0 0 0
114 Node.js 20 20.14.0 May 28, 2024 April 19, 2023 2 12 3 0
115 Node.js 19 19.7.0 Feb. 21, 2023 Oct. 18, 2022 0 5 2 0
116 Node.js 18 (LTS) 18.15.0 March 7, 2023 April 19, 2022 Oct. 18, 2023 April 30, 2025 2 15 8 0
117 Node.js 17 17.9.1 June 2, 2022 Oct. 19, 2021 April 1, 2022 June 1, 2022 0 3 2 0
118 Node.js 16 (LTS) 16.19.1 Feb. 16, 2023 April 20, 2021 Oct. 18, 2022 April 30, 2024 4 16 12 0
119 Node.js 15 15.14.0 April 6, 2021 Oct. 20, 2020 June 1, 2021 1 6 3 0
120 Node.js 14 (LTS) 14.21.3 Feb. 16, 2023 April 21, 2020 Oct. 18, 2021 April 30, 2023 3 22 13 0
121 Node.js 13 13.14.0 April 30, 2020 Oct. 22, 2019 June 1, 2020 2 1 0 0
122 Node.js 12 (LTS) 12.22.12 April 5, 2022 April 23, 2019 Oct. 21, 2019 April 30, 2022 4 24 9 0
123 Node.js 11 11.15.0 April 30, 2019 Oct. 23, 2018 June 1, 2019 0 4 5 0
124 Node.js 10 (LTS) 10.24.1 April 6, 2021 April 24, 2018 May 18, 2020 April 30, 2021 2 28 10 0
125 Node.js 9 9.11.2 June 12, 2018 Oct. 1, 2017 June 30, 2018 1 8 4 1
126 Node.js 8 (LTS) 8.17.0 Dec. 17, 2019 May 30, 2017 Dec. 31, 2018 Dec. 31, 2019 1 23 9 1
127 Node.js 7 7.10.1 July 11, 2017 Oct. 25, 2016 June 30, 2017 2 7 4 0
128 Node.js 6 (LTS) 6.17.1 April 3, 2019 Oct. 18, 2016 April 29, 2018 April 30, 2019 4 24 16 0
129 Node.js 5 5.12.0 June 23, 2016 Oct. 29, 2015 June 30, 2016 1 16 8 0
130 Node.js 4 (LTS) 4.9.1 March 30, 2018 Sept. 8, 2015 March 30, 2017 April 30, 2018 April 1, 2017 6 25 13 0
131 Node.js 3.0 3.0.0 0 5 3 0
132 Node.js 2.0 2.0.2 0 6 4 1
133 Node.js 1 1.1.0 0 10 10 0
134 Node.js 0 0.0.6 2 22 16 0
135 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
111 9.8
7.5
CRITICAL
Network
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. NVD-CWE-noinfo
CVE-2016-9843 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
6.9.0
4.0.0
6.0.0
7.0.0


4.1.2
6.8.1




4.8.2
6.10.2


7.6.0
2024-11-21 12:01
2017-05-23
Show GitHub Exploit DB Packet Storm
112 8.8
6.8
HIGH
Network
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. NVD-CWE-noinfo
CVE-2016-9842 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
6.9.0
4.0.0
6.0.0
7.0.0


4.1.2
6.8.1




4.8.2
6.10.2


7.6.0
2024-11-21 12:01
2017-05-23
Show GitHub Exploit DB Packet Storm
113 8.8
6.8
HIGH
Network
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. NVD-CWE-noinfo
CVE-2016-9840 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
6.9.0
4.0.0
6.0.0
7.0.0


4.1.2
6.8.1




4.8.2
6.10.2


7.6.0
2024-11-21 12:01
2017-05-23
Show GitHub Exploit DB Packet Storm
114 9.8
7.5
CRITICAL
Network
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. NVD-CWE-noinfo
CVE-2016-9841 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
6.9.0
4.0.0
6.0.0
7.0.0


4.1.2
6.8.1




4.8.2
6.10.2


7.6.0
2024-11-21 12:01
2017-05-23
Show GitHub Exploit DB Packet Storm
115 5.9
2.6
MEDIUM
Network
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bi… NVD-CWE-noinfo
CVE-2016-7055 cpe:2.3:a:nodejs:node.js:*:* 6.9.0
4.2.0
4.0.0
6.0.0
7.0.0


4.1.2
6.8.1




6.9.5
4.7.3


7.5.0
2024-11-21 11:57
2017-05-5
Show GitHub Exploit DB Packet Storm
116 7.5
5.0
HIGH
Network
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resu… CWE-125
Out-of-bounds Read
CVE-2017-3731 cpe:2.3:a:nodejs:node.js:*:* 6.9.0
4.2.0
4.0.0
6.0.0
5.0.0
7.0.0


4.1.2
6.8.1
5.12.0





6.9.5
4.7.3



7.5.0
2024-11-21 12:26
2017-05-5
Show GitHub Exploit DB Packet Storm
117 5.9
4.3
MEDIUM
Network
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks agai… CWE-200
Information Exposure
CVE-2017-3732 cpe:2.3:a:nodejs:node.js:*:* 6.9.0
4.2.0
4.0.0
6.0.0
5.0.0
7.0.0


4.1.2
6.8.1
5.12.0





6.9.5
4.7.3



7.5.0
2024-11-21 12:26
2017-05-5
Show GitHub Exploit DB Packet Storm
118 7.5
5.0
HIGH
Network
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. CWE-59
Link Following
CVE-2015-8860 cpe:2.3:a:nodejs:node.js:*:* 1.8.4 2024-11-21 11:39
2017-01-24
Show GitHub Exploit DB Packet Storm
119 7.5
7.8
HIGH
Network
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." CWE-399
 Resource Management Errors
CVE-2015-8855 cpe:2.3:a:nodejs:node.js:*:* 4.3.1 2024-11-21 11:39
2017-01-24
Show GitHub Exploit DB Packet Storm
120 6.1
4.3
MEDIUM
Network
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. CWE-79
Cross-site Scripting
CVE-2014-9772 cpe:2.3:a:nodejs:node.js:*:* 1.8.4 2024-11-21 11:21
2017-01-24
Show GitHub Exploit DB Packet Storm