Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
node.js Number Of NVD 152 CRITICAL 13 HIGH 92 MEDIUM 45 LOW 2
URL https://nodejs.org/
Explanation Node.js releases a major version every 6 months.

The status of each version includes

Current : Added features

Active LTS : New stable features, bug fixes, and other updates are made by the LTS team.

Maintenance LTS : New features are added, major bug fixes and security updates are made by the LTS team. New features will only be added if they can be migrated to subsequent versions.

Odd-numbered releases (9, 11, etc.) will be Current and will be supported by the developers for 6 months only.
Even-numbered releases (10, 12, etc.) will be released after support for odd-numbered releases expires, and will be supported as Current for 6 months by the developers.
After 6 months of even-numbered releases, the system will move to Active LTS for 12 months and become generally available.
After the end of Active LTS, the system will move to Maintenance LTS for 12 months.
Even-numbered releases are usually guaranteed to have critical bugs fixed for a total of 30 months.

Only Active LTS and Maintenance LTS Node.js should be used in commercial products.
Tag
  • MIT License
  • Javascript

Add Information URL
No Type Name URL
1 https://nodejs.org/en/blog/
2 https://nodejs.org/en/blog/release/
3 https://nodejs.org/en/about/releases/
4 https://github.com/nodejs/Release

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
11 New!! Node.js 26 26.5.0 July 8, 2026 May 5, 2026 Oct. 20, 2027 April 30, 2029 0 1 1 1
12 Node.js 22 v22.6.0 Aug. 6, 2024 June 11, 2024 0 1 1 1
13 Node.js 21 21.7.3 April 10, 2024 Oct. 17, 2023 0 0 0 0
14 Node.js 20 20.14.0 May 28, 2024 April 19, 2023 2 12 3 0
15 Node.js 19 19.7.0 Feb. 21, 2023 Oct. 18, 2022 0 5 2 0
16 Node.js 18 (LTS) 18.15.0 March 7, 2023 April 19, 2022 Oct. 18, 2023 April 30, 2025 2 15 8 0
17 Node.js 17 17.9.1 June 2, 2022 Oct. 19, 2021 April 1, 2022 June 1, 2022 0 3 2 0
18 Node.js 16 (LTS) 16.19.1 Feb. 16, 2023 April 20, 2021 Oct. 18, 2022 April 30, 2024 4 16 12 0
19 Node.js 15 15.14.0 April 6, 2021 Oct. 20, 2020 June 1, 2021 1 6 3 0
20 Node.js 14 (LTS) 14.21.3 Feb. 16, 2023 April 21, 2020 Oct. 18, 2021 April 30, 2023 3 22 13 0
21 Node.js 13 13.14.0 April 30, 2020 Oct. 22, 2019 June 1, 2020 2 1 0 0
22 Node.js 12 (LTS) 12.22.12 April 5, 2022 April 23, 2019 Oct. 21, 2019 April 30, 2022 4 24 9 0
23 Node.js 11 11.15.0 April 30, 2019 Oct. 23, 2018 June 1, 2019 0 4 5 0
24 Node.js 10 (LTS) 10.24.1 April 6, 2021 April 24, 2018 May 18, 2020 April 30, 2021 2 28 10 0
25 Node.js 9 9.11.2 June 12, 2018 Oct. 1, 2017 June 30, 2018 1 8 4 1
26 Node.js 8 (LTS) 8.17.0 Dec. 17, 2019 May 30, 2017 Dec. 31, 2018 Dec. 31, 2019 1 23 9 1
27 Node.js 7 7.10.1 July 11, 2017 Oct. 25, 2016 June 30, 2017 2 7 4 0
28 Node.js 6 (LTS) 6.17.1 April 3, 2019 Oct. 18, 2016 April 29, 2018 April 30, 2019 4 24 16 0
29 Node.js 5 5.12.0 June 23, 2016 Oct. 29, 2015 June 30, 2016 1 16 8 0
30 Node.js 4 (LTS) 4.9.1 March 30, 2018 Sept. 8, 2015 March 30, 2017 April 30, 2018 April 1, 2017 6 25 13 0
31 Node.js 3.0 3.0.0 0 5 3 0
32 Node.js 2.0 2.0.2 0 6 4 1
33 Node.js 1 1.1.0 0 10 10 0
34 Node.js 0 0.0.6 2 22 16 0
35 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
11 7.5
-
HIGH
Network
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. NVD-CWE-noinfo
CVE-2023-44487 cpe:2.3:a:nodejs:node.js:*:* 18.0.0
20.0.0


18.18.2
20.8.1
2025-03-8 04:15
2023-10-10
Show GitHub Exploit DB Packet Storm
12 7.5
-
HIGH
Network
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.… CWE-22
Path Traversal
CVE-2023-32558 cpe:2.3:a:nodejs:node.js:*:* 20.0.0 20.5.1 2024-11-21 17:03
2023-09-12
Show GitHub Exploit DB Packet Storm
13 5.3
-
MEDIUM
Network
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an … CWE-732
 Incorrect Permission Assignment for Critical Resource
CVE-2023-32005 cpe:2.3:a:nodejs:node.js:*:* 20.0.0 20.5.1 2024-11-21 17:02
2023-09-12
Show GitHub Exploit DB Packet Storm
14 7.5
-
HIGH
Network
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the po… NVD-CWE-noinfo
CVE-2023-32559 cpe:2.3:a:nodejs:node.js:*:* 20.0.0
16.0.0
18.0.0
20.5.0
16.20.1
18.17.0




2024-11-21 17:03
2023-08-24
Show GitHub Exploit DB Packet Storm
15 9.8
-
CRITICAL
Network
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental … NVD-CWE-noinfo
CVE-2023-32002 cpe:2.3:a:nodejs:node.js:*:* 20.0.0
18.0.0
16.0.0
20.5.0
18.17.0
16.20.1




2024-11-21 17:02
2023-08-22
Show GitHub Exploit DB Packet Storm
16 5.3
-
MEDIUM
Network
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a… CWE-22
Path Traversal
CVE-2023-32003 cpe:2.3:a:nodejs:node.js:*:* 20.0.0 20.5.0 2024-11-21 17:02
2023-08-16
Show GitHub Exploit DB Packet Storm
17 8.8
-
HIGH
Network
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users usi… NVD-CWE-noinfo
CVE-2023-32006 cpe:2.3:a:nodejs:node.js:*:* 20.0.0
16.0.0
18.0.0
20.5.0
16.20.1
18.17.0




2024-11-21 17:02
2023-08-16
Show GitHub Exploit DB Packet Storm
18 8.8
-
HIGH
Network
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a trave… CWE-22
Path Traversal
CVE-2023-32004 cpe:2.3:a:nodejs:node.js:*:* 20.0.0 20.5.0 2024-11-21 17:02
2023-08-16
Show GitHub Exploit DB Packet Storm
19 7.5
-
HIGH
Network
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) … NVD-CWE-Other
CVE-2023-30589 cpe:2.3:a:nodejs:node.js:*:* 20.0.0
16.0.0
18.0.0




20.3.1
16.20.1
18.16.1
2024-11-21 17:00
2023-07-1
Show GitHub Exploit DB Packet Storm
20 7.5
-
HIGH
Network
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permiss… CWE-862
 Missing Authorization
CVE-2023-30586 cpe:2.3:a:nodejs:node.js:*:* 20.0.0 20.3.1 2024-11-21 17:00
2023-07-1
Show GitHub Exploit DB Packet Storm