Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
node.js Number Of NVD 149 CRITICAL 13 HIGH 91 MEDIUM 44 LOW 1
URL https://nodejs.org/
Explanation Node.js releases a major version every 6 months.

The status of each version includes

Current : Added features

Active LTS : New stable features, bug fixes, and other updates are made by the LTS team.

Maintenance LTS : New features are added, major bug fixes and security updates are made by the LTS team. New features will only be added if they can be migrated to subsequent versions.

Odd-numbered releases (9, 11, etc.) will be Current and will be supported by the developers for 6 months only.
Even-numbered releases (10, 12, etc.) will be released after support for odd-numbered releases expires, and will be supported as Current for 6 months by the developers.
After 6 months of even-numbered releases, the system will move to Active LTS for 12 months and become generally available.
After the end of Active LTS, the system will move to Maintenance LTS for 12 months.
Even-numbered releases are usually guaranteed to have critical bugs fixed for a total of 30 months.

Only Active LTS and Maintenance LTS Node.js should be used in commercial products.
Tag
  • MIT License
  • Javascript
Add Information URL
No Type Name URL
1 https://nodejs.org/en/blog/
2 https://nodejs.org/en/blog/release/
3 https://nodejs.org/en/about/releases/
4 https://github.com/nodejs/Release
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
21 Node.js 22 v22.6.0 Aug. 6, 2024 June 11, 2024 0 0 0 0
22 Node.js 21 21.7.3 April 10, 2024 Oct. 17, 2023 0 0 0 0
23 Node.js 20 20.14.0 May 28, 2024 April 19, 2023 2 12 3 0
24 Node.js 19 19.7.0 Feb. 21, 2023 Oct. 18, 2022 0 5 2 0
25 Node.js 18 (LTS) 18.15.0 March 7, 2023 April 19, 2022 Oct. 18, 2023 April 30, 2025 2 15 8 0
26 Node.js 17 17.9.1 June 2, 2022 Oct. 19, 2021 April 1, 2022 June 1, 2022 0 3 2 0
27 Node.js 16 (LTS) 16.19.1 Feb. 16, 2023 April 20, 2021 Oct. 18, 2022 April 30, 2024 4 16 12 0
28 Node.js 15 15.14.0 April 6, 2021 Oct. 20, 2020 June 1, 2021 1 6 3 0
29 Node.js 14 (LTS) 14.21.3 Feb. 16, 2023 April 21, 2020 Oct. 18, 2021 April 30, 2023 3 22 13 0
30 Node.js 13 13.14.0 April 30, 2020 Oct. 22, 2019 June 1, 2020 2 1 0 0
31 Node.js 12 (LTS) 12.22.12 April 5, 2022 April 23, 2019 Oct. 21, 2019 April 30, 2022 4 24 9 0
32 Node.js 11 11.15.0 April 30, 2019 Oct. 23, 2018 June 1, 2019 0 4 5 0
33 Node.js 10 (LTS) 10.24.1 April 6, 2021 April 24, 2018 May 18, 2020 April 30, 2021 2 28 10 0
34 Node.js 9 9.11.2 June 12, 2018 Oct. 1, 2017 June 30, 2018 1 8 4 1
35 Node.js 8 (LTS) 8.17.0 Dec. 17, 2019 May 30, 2017 Dec. 31, 2018 Dec. 31, 2019 1 23 9 1
36 Node.js 7 7.10.1 July 11, 2017 Oct. 25, 2016 June 30, 2017 2 7 4 0
37 Node.js 6 (LTS) 6.17.1 April 3, 2019 Oct. 18, 2016 April 29, 2018 April 30, 2019 4 24 16 0
38 Node.js 5 5.12.0 June 23, 2016 Oct. 29, 2015 June 30, 2016 1 16 8 0
39 Node.js 4 (LTS) 4.9.1 March 30, 2018 Sept. 8, 2015 March 30, 2017 April 30, 2018 April 1, 2017 6 25 13 0
40 Node.js 3.0 3.0.0 0 5 3 0
41 Node.js 2.0 2.0.2 0 5 3 0
42 Node.js 1 1.1.0 0 10 10 0
43 Node.js 0 0.0.6 2 22 16 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
21 5.4
- 		MEDIUM
Network 		Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This iss… CWE-74
Injection 		CVE-2023-23936 cpe:2.3:a:nodejs:node.js:*:* 18.0.0
16.0.0
19.0.0



18.14.1
16.19.1
19.6.1 		2024-11-21 16:47
2023-02-17 		Show GitHub Exploit DB Packet Storm
22 8.1
- 		HIGH
Network 		A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does n… CWE-78
OS Command  		CVE-2022-43548 cpe:2.3:a:nodejs:node.js:19.0.0:*
cpe:2.3:a:nodejs:node.js:18.12.0:*
cpe:2.3:a:nodejs:node.js:*:* 		16.13.0
14.15.0
14.0.0
16.0.0
18.0.0

14.14.0
16.12.0
18.11.0



16.18.1
14.21.1


 2024-11-21 16:26
2022-12-6 		Show GitHub Exploit DB Packet Storm
23 6.5
- 		MEDIUM
Network 		The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. CWE-444
HTTP Request Smuggling 		CVE-2022-35256 cpe:2.3:a:nodejs:node.js:*:* 14.15.0
16.13.0
14.0.0
16.0.0
18.0.0

14.14.0
16.12.0



14.20.1
16.17.1


18.9.1 		2024-11-21 16:10
2022-12-6 		Show GitHub Exploit DB Packet Storm
24 9.1
- 		CRITICAL
Network 		A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems … CWE-338
 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) 		CVE-2022-35255 cpe:2.3:a:nodejs:node.js:*:* 16.13.0
15.0.0
16.0.0
18.0.0
15.14.0
16.12.0


16.17.1


18.9.1 		2024-11-21 16:10
2022-12-6 		Show GitHub Exploit DB Packet Storm
25 7.5
- 		HIGH
Network 		A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either… CWE-120
Classic Buffer Overflow 		CVE-2022-3786 cpe:2.3:a:nodejs:node.js:19.0.0:*
cpe:2.3:a:nodejs:node.js:18.12.0:*
cpe:2.3:a:nodejs:node.js:*:* 		18.0.0 18.11.0 2026-04-14 19:16
2022-11-2 		Show GitHub Exploit DB Packet Storm
26 7.5
- 		HIGH
Network 		A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either… CWE-787
 Out-of-bounds Write 		CVE-2022-3602 cpe:2.3:a:nodejs:node.js:19.0.0:*
cpe:2.3:a:nodejs:node.js:18.12.0:*
cpe:2.3:a:nodejs:node.js:*:* 		18.0.0 18.11.0 2026-04-14 19:16
2022-11-2 		Show GitHub Exploit DB Packet Storm
27 7.3
- 		HIGH
Local 		Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windo… CWE-427
 Uncontrolled Search Path Element 		CVE-2022-32223 cpe:2.3:a:nodejs:node.js:*:* 14.14.0
16.13.0
14.0.0
16.0.0
18.0.0

14.14.0
16.12.0



14.20.0
16.16.0


18.0.5 		2024-11-21 16:05
2022-07-15 		Show GitHub Exploit DB Packet Storm
28 5.3
- 		MEDIUM
Network 		A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-a… CWE-427
 Uncontrolled Search Path Element 		CVE-2022-32222 cpe:2.3:a:nodejs:node.js:*:* 18.0.0 18.5.0 2024-11-21 16:05
2022-07-15 		Show GitHub Exploit DB Packet Storm
29 6.5
- 		MEDIUM
Network 		The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). CWE-444
HTTP Request Smuggling 		CVE-2022-32215 cpe:2.3:a:nodejs:node.js:*:* 14.15.0
16.13.0
18.0.0
14.0.0
16.0.0


14.14.0
16.12.0



14.20.0
16.16.0
18.5.0

 2024-11-21 16:05
2022-07-15 		Show GitHub Exploit DB Packet Storm
30 6.5
- 		MEDIUM
Network 		The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). CWE-444
HTTP Request Smuggling 		CVE-2022-32214 cpe:2.3:a:nodejs:node.js:*:* 14.15.0
16.13.0
18.0.0
14.0.0
16.0.0


14.14.0
16.12.0



14.20.0
16.16.0
18.5.0

 2024-11-21 16:05
2022-07-15 		Show GitHub Exploit DB Packet Storm