Node.js 25.x — End of Life
EOL Critical riskNode.js 25.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 25 | Oct 15, 2025 | Apr 1, 2026 | Jun 1, 2026 | 25.9.0 | EOL |
CVEs affecting Node.js 25.x (6)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-21637 | HIGH | 7.5 | 0.03% | — | 25 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCall… | Jan 20, 2026 |
| CVE-2026-21636 | CRITICAL | 10.0 | 0.01% | — | 25 | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--… | Jan 20, 2026 |
| CVE-2025-59466 | HIGH | 7.5 | 0.01% | — | 25 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable wh… | Jan 20, 2026 |
| CVE-2025-59465 | HIGH | 7.5 | 0.06% | — | 25 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unha… | Jan 20, 2026 |
| CVE-2025-55132 | MEDIUM | 5.3 | 0.01% | — | 25 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` ev… | Jan 20, 2026 |
| CVE-2025-55130 | CRITICAL | 9.1 | 0.01% | — | 25 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions u… | Jan 20, 2026 |
Node.js 25.x is EOL — migrate to Node.js 26.x
Node.js 26.x is the next major release. Plan your upgrade before Node.js 25.x stops receiving security patches.
Frequently asked questions
Is Node.js 25 end of life?
Yes. All Node.js 25.x releases have reached end of life and no longer receive security patches. There are 6 known CVEs affecting Node.js 25.x, including 2 critical. Migrate to Node.js 26.x as soon as possible.
What CVEs affect Node.js 25?
There are 6 CVEs tracked for Node.js 25.x, including 2 critical severity issues. See the full list above with CVSS and EPSS scores.
What is the latest Node.js 25 version?
The latest Node.js 25.x patch release is 25.9.0, released on April 1, 2026. Always run the latest patch to benefit from all security fixes.
How to migrate from Node.js 25 to Node.js 26?
To migrate from Node.js 25 to Node.js 26: (1) review the official Node.js 26 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run Node.js 25 in production?
No. Node.js 25 has reached end of life and security vulnerabilities are no longer patched. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA