[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHvrTZQ1NVngA8jz-HU98Cz6fCNuXJJNPdQaKeOKqteI":3},{"product":4,"cycleMajor":14,"releases":15,"cves":25,"nextMajor":62},{"id":5,"slug":6,"name":7,"category":8,"vendor":9,"description":10,"logo_url":11,"official_url":9,"synced_at":12,"created_at":13},"36752f1b-49ae-4055-8ef8-ab933f8f2804","nodejs","Node.js","language",null,"Developers rely on a robust and versatile runtime environment to execute JavaScript code outside the browser, which is where Node.js comes into play. Created to provide a cross-platform, open-source solution, Node.js has been a staple in the development community since its inception. The Node.js project is maintained by the Node.js Foundation, ensuring the continued growth and support of this widely-used language. With its ability to run on various operating systems, including Windows, Linux, Unix, and macOS, Node.js has become an essential tool for developers seeking to build scalable and high-performance applications.\n\nThe end-of-life landscape for Node.js is a critical aspect for developers to stay on top of, with a total of 26 versions released to date. Currently, 23 of these versions have reached their end-of-life, leaving only 3 active versions still receiving support. The latest stable version, 22.22.3, is among the active ones, but its time is limited, as version 22 is slated to expire on 2027-04-30. This follows the recent end-of-life date of version 25, which occurred on 2026-06-01. Staying informed about these expirations is crucial for developers to plan their projects and migrations accordingly.\n\nThe security of Node.js is also a key concern, with a total of 38 CVEs tracked to date. Of these, 5 are considered critical, highlighting the potential risks associated with using outdated or vulnerable versions. Notably, version 24 is the most affected, with 6 CVEs reported. To mitigate these risks, developers should prioritize keeping their Node.js environment up to date, ideally running the latest stable version. By doing so, they can ensure they have the latest security patches and features, reducing the likelihood of exploits and maintaining the integrity of their applications.","https:\u002F\u002Fcdn.simpleicons.org\u002Fnodedotjs","2026-06-14T02:03:06.852+00:00","2026-05-30T16:23:55.904463+00:00","22",[16],{"id":17,"product_id":5,"cycle":14,"release_date":18,"eol":19,"eol_boolean":9,"latest":20,"latest_release_date":21,"lts":22,"support":23,"created_at":24},"8f9205af-4578-4b0b-a9cd-a079fd8cb09a","2024-04-24","2027-04-30","22.22.3","2026-05-13",true,"2025-10-21","2026-05-30T16:28:22.141504+00:00",[26,35,41,47,54],{"cveId":27,"releaseId":17,"cycle":14,"description":28,"severity":29,"cvssScore":30,"epssScore":31,"inKev":32,"publishedAt":33,"url":34},"CVE-2026-21637","A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client ca","HIGH",7.5,0.00033,false,"2026-01-20T21:16:05.95+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-21637",{"cveId":36,"releaseId":17,"cycle":14,"description":37,"severity":29,"cvssScore":30,"epssScore":38,"inKev":32,"publishedAt":39,"url":40},"CVE-2025-59466","We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",0.00009,"2026-01-20T21:16:04.11+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2025-59466",{"cveId":42,"releaseId":17,"cycle":14,"description":43,"severity":29,"cvssScore":30,"epssScore":44,"inKev":32,"publishedAt":45,"url":46},"CVE-2025-59465","A malformed `HTTP\u002F2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on('secureConnection', socket => {\n  socket.on('error', err => {\n    console.log(err)\n  })\n})\n```",0.00064,"2026-01-20T21:16:04.01+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2025-59465",{"cveId":48,"releaseId":17,"cycle":14,"description":49,"severity":50,"cvssScore":51,"epssScore":38,"inKev":32,"publishedAt":52,"url":53},"CVE-2025-55132","A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js ","MEDIUM",5.3,"2026-01-20T21:16:03.43+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2025-55132",{"cveId":55,"releaseId":17,"cycle":14,"description":56,"severity":57,"cvssScore":58,"epssScore":59,"inKev":32,"publishedAt":60,"url":61},"CVE-2025-55130","A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read\u002Fwrite, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20,","CRITICAL",9.1,0.00013,"2026-01-20T21:16:03.177+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2025-55130","23"]