Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
node.js Number Of NVD 152 CRITICAL 13 HIGH 92 MEDIUM 45 LOW 2
URL https://nodejs.org/
Explanation Node.js releases a major version every 6 months.

The status of each version includes

Current : Added features

Active LTS : New stable features, bug fixes, and other updates are made by the LTS team.

Maintenance LTS : New features are added, major bug fixes and security updates are made by the LTS team. New features will only be added if they can be migrated to subsequent versions.

Odd-numbered releases (9, 11, etc.) will be Current and will be supported by the developers for 6 months only.
Even-numbered releases (10, 12, etc.) will be released after support for odd-numbered releases expires, and will be supported as Current for 6 months by the developers.
After 6 months of even-numbered releases, the system will move to Active LTS for 12 months and become generally available.
After the end of Active LTS, the system will move to Maintenance LTS for 12 months.
Even-numbered releases are usually guaranteed to have critical bugs fixed for a total of 30 months.

Only Active LTS and Maintenance LTS Node.js should be used in commercial products.
Tag
  • MIT License
  • Javascript

Add Information URL
No Type Name URL
1 https://nodejs.org/en/blog/
2 https://nodejs.org/en/blog/release/
3 https://nodejs.org/en/about/releases/
4 https://github.com/nodejs/Release

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
131 New!! Node.js 26 26.5.0 July 8, 2026 May 5, 2026 Oct. 20, 2027 April 30, 2029 0 1 1 1
132 Node.js 22 v22.6.0 Aug. 6, 2024 June 11, 2024 0 1 1 1
133 Node.js 21 21.7.3 April 10, 2024 Oct. 17, 2023 0 0 0 0
134 Node.js 20 20.14.0 May 28, 2024 April 19, 2023 2 12 3 0
135 Node.js 19 19.7.0 Feb. 21, 2023 Oct. 18, 2022 0 5 2 0
136 Node.js 18 (LTS) 18.15.0 March 7, 2023 April 19, 2022 Oct. 18, 2023 April 30, 2025 2 15 8 0
137 Node.js 17 17.9.1 June 2, 2022 Oct. 19, 2021 April 1, 2022 June 1, 2022 0 3 2 0
138 Node.js 16 (LTS) 16.19.1 Feb. 16, 2023 April 20, 2021 Oct. 18, 2022 April 30, 2024 4 16 12 0
139 Node.js 15 15.14.0 April 6, 2021 Oct. 20, 2020 June 1, 2021 1 6 3 0
140 Node.js 14 (LTS) 14.21.3 Feb. 16, 2023 April 21, 2020 Oct. 18, 2021 April 30, 2023 3 22 13 0
141 Node.js 13 13.14.0 April 30, 2020 Oct. 22, 2019 June 1, 2020 2 1 0 0
142 Node.js 12 (LTS) 12.22.12 April 5, 2022 April 23, 2019 Oct. 21, 2019 April 30, 2022 4 24 9 0
143 Node.js 11 11.15.0 April 30, 2019 Oct. 23, 2018 June 1, 2019 0 4 5 0
144 Node.js 10 (LTS) 10.24.1 April 6, 2021 April 24, 2018 May 18, 2020 April 30, 2021 2 28 10 0
145 Node.js 9 9.11.2 June 12, 2018 Oct. 1, 2017 June 30, 2018 1 8 4 1
146 Node.js 8 (LTS) 8.17.0 Dec. 17, 2019 May 30, 2017 Dec. 31, 2018 Dec. 31, 2019 1 23 9 1
147 Node.js 7 7.10.1 July 11, 2017 Oct. 25, 2016 June 30, 2017 2 7 4 0
148 Node.js 6 (LTS) 6.17.1 April 3, 2019 Oct. 18, 2016 April 29, 2018 April 30, 2019 4 24 16 0
149 Node.js 5 5.12.0 June 23, 2016 Oct. 29, 2015 June 30, 2016 1 16 8 0
150 Node.js 4 (LTS) 4.9.1 March 30, 2018 Sept. 8, 2015 March 30, 2017 April 30, 2018 April 1, 2017 6 25 13 0
151 Node.js 3.0 3.0.0 0 5 3 0
152 Node.js 2.0 2.0.2 0 6 4 1
153 Node.js 1 1.1.0 0 10 10 0
154 Node.js 0 0.0.6 2 22 16 0
155 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
131 6.5
4.3
MEDIUM
Network
The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted Ja… CWE-200
Information Exposure
CVE-2016-5172 cpe:2.3:a:nodejs:node.js:*:* 6.0.0 6.8.1 2024-11-21 11:53
2016-09-26
Show GitHub Exploit DB Packet Storm
132 9.8
7.5
CRITICAL
Network
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or poss… CWE-787
 Out-of-bounds Write
CVE-2016-6303 cpe:2.3:a:nodejs:node.js:*:*
4.0.0
6.0.0




0.12.16
4.6.0
6.6.0
2024-11-21 11:55
2016-09-16
Show GitHub Exploit DB Packet Storm
133 7.5
5.0
HIGH
Network
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for re… CWE-200
Information Exposure
CVE-2016-2183 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
6.0.0
4.0.0
0.12.0
0.10.0








4.6.0
6.7.0
4.1.2
0.12.16
0.10.47
2024-11-21 11:47
2016-09-1
Show GitHub Exploit DB Packet Storm
134 7.5
5.0
HIGH
Network
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, wh… CWE-200
Information Exposure
CVE-2016-3956 cpe:2.3:a:nodejs:node.js:5.9.1:*
cpe:2.3:a:nodejs:node.js:5.9.0:*
cpe:2.3:a:nodejs:node.js:5.8.1:rc.1
cpe:2.3:…
2024-11-21 11:51
2016-07-2
Show GitHub Exploit DB Packet Storm
135 5.5
2.1
MEDIUM
Local
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA pr… CWE-203
 Information Exposure Through Discrepancy
CVE-2016-2178 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
4.0.0
0.12.0
0.10.0
5.0.0

4.1.2






4.6.0

0.12.16
0.10.47
6.7.0
2024-11-21 11:47
2016-06-20
Show GitHub Exploit DB Packet Storm
136 8.8
9.3
HIGH
Network
The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows rem… CWE-119
Incorrect Access of Indexable Resource ('Range Error') 
CVE-2016-1669 cpe:2.3:a:nodejs:node.js:*:* 4.2.0
4.0.0
6.0.0
5.0.0
0.12.0
0.10.0

4.1.2
6.2.0







4.4.6


5.12.0
0.12.15
0.10.46
2024-11-21 11:46
2016-05-15
Show GitHub Exploit DB Packet Storm
137 5.9
2.6
MEDIUM
Network
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleart… CWE-310
CWE-200
Cryptographic Issues
Information Exposure
CVE-2016-2107 cpe:2.3:a:nodejs:node.js:6.0.0:*
cpe:2.3:a:nodejs:node.js:*:*
4.2.0
4.0.0
5.0.0
0.12.0
0.10.0

4.1.2






4.4.4

5.11.1
0.12.14
0.10.45
2024-11-21 11:47
2016-05-5
Show GitHub Exploit DB Packet Storm
138 7.5
5.0
HIGH
Network
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption)… CWE-190
 Integer Overflow or Wraparound
CVE-2016-2105 cpe:2.3:a:nodejs:node.js:6.0.0:*
cpe:2.3:a:nodejs:node.js:*:*
4.2.0
4.0.0
5.0.0
0.12.0
0.10.0

4.1.2






4.4.4

5.11.1
0.12.14
0.10.45
2024-11-21 11:47
2016-05-5
Show GitHub Exploit DB Packet Storm
139 7.5
4.3
HIGH
Network
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response… CWE-20
 Improper Input Validation 
CVE-2016-2216 cpe:2.3:a:nodejs:node.js:5.5.0:*
cpe:2.3:a:nodejs:node.js:5.4.1:*
cpe:2.3:a:nodejs:node.js:5.4.0:*
cpe:2.3:a:n…
2024-11-21 11:48
2016-04-8
Show GitHub Exploit DB Packet Storm
140 7.5
5.0
HIGH
Network
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. CWE-20
 Improper Input Validation 
CVE-2016-2086 cpe:2.3:a:nodejs:node.js:5.5.0:*
cpe:2.3:a:nodejs:node.js:5.4.1:*
cpe:2.3:a:nodejs:node.js:5.4.0:*
cpe:2.3:a:n…
2024-11-21 11:47
2016-04-8
Show GitHub Exploit DB Packet Storm