Node.js pushed security releases across all four active lines today – 25.x, 24.x, 22.x (LTS), and 20.x (LTS) – patching two high-severity issues alongside a set of medium and low severity findings. CVE details are not yet public at time of writing.
What Was Patched
According to the Node.js security advisory, every active release line is affected by the two high-severity issues. The medium-severity count varies slightly by line:
| Line | High | Medium | Low |
|---|---|---|---|
| 25.x | 2 | 5 | 2 |
| 24.x | 2 | 4 | 2 |
| 22.x | 2 | 4 | 2 |
| 20.x | 2 | 4 | 2 |
CVE identifiers and vulnerability descriptions have not been published yet. This is standard practice – the Node.js project releases patched versions first and discloses technical details afterward to give the ecosystem time to update before the specifics become public. Check the advisory and the nodejs-sec mailing list for details as they drop.
End-of-life versions are always affected by security releases and will not receive patches. If you’re still running 18.x or anything older, that is a separate problem worth addressing.
What You Should Do
Check your version. Run node --version across your production fleet, containers, and CI base images. If you’re on any of the four active lines (20.x, 22.x, 24.x, 25.x), an update is available now.
Update. Use your version manager or package manager to pull the latest release on your current line. If you’re using Docker, update your base image tags and rebuild. If you’re using a managed Node runtime (Lambda, Cloud Run, App Engine), check whether your provider auto-updates or requires a manual trigger.
Watch the release notes. With high-severity issues and CVE details still pending, revisit the advisory in the next 24-48 hours. Once the technical details publish, you’ll want to assess whether any of the fixes are relevant to your specific usage patterns – particularly if you’re running exposed HTTP servers, handling untrusted input, or using any native addon surface.
The Broader Pattern
Node.js maintains a disciplined security release process. Pre-announcements go out via nodejs-sec before the patched versions land, giving teams time to prepare. Details publish after a holding period. The cadence is predictable.
The practical implication: if your dependency update tooling is not watching Node.js release lines, you are relying on luck. Dependabot, Renovate, and similar tools track npm packages well but often do not alert on runtime version updates. That gap is worth closing with a scheduled check or a subscription to nodejs-sec directly.
Patch now. Read the CVE details when they land. Update your base images.