I discovered that the Node.js team maintains the is-my-node-vulnerable as an official security tool to help developers identify known vulnerabilities in their Node.js versions.
npx is-my-node-vulnerableBehind the scenes, it’s comparing your process.version with the Node.js Security Database. The output is crystal clear - you’ll either see a celebratory “ALL GOOD” message or a detailed warning about specific vulnerabilities affecting your version.
Understanding Version Vulnerabilities
Node.js versions can contain security vulnerabilities that get discovered over time. For example, Node.js 20.3.0 had a vulnerability CVE-2023-30581 where the security policy mechanism could be bypassed using process.mainModule.proto.require()
The is-my-node-vulnerable package helps teams identify such vulnerabilities before they become problems. It’s a proactive approach to security that can save you from potential headaches down the line.
How to Use is-my-node-vulnerable
I’m using Node 20.5.1 in this example. Running npx is-my-node-vulnerable will check this version against the Node.js Security Database.
➜ npx is-my-node-vulnerable
██████ █████ ███ ██ ██████ ███████ █████████ ██ ██ ██ ████ ██ ██ ██ ██ ████ ██ ███████ ██ ██ ██ ██ ███ █████ █████████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████████ ██ ██ ██ ████ ██████ ███████ ██ ██
The current Node.js version (v20.5.1) is vulnerable to the following CVEs:
CVE-2023-45143(low): Cookie headers are not cleared in cross-domain redirect in undici-fetch (High)Patched versions: ^18.18.2 || ^20.8.1==============================================================================
CVE-2023-44487(high): Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service (High)Patched versions: ^18.18.2 || ^20.8.1==============================================================================
CVE-2023-39331(high): A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations (High)Patched versions: ^20.8.1==============================================================================
CVE-2023-39332(high): Path traversal through path stored in Uint8Array (High)Patched versions: ^20.8.1==============================================================================
CVE-2023-38552(medium): Integrity checks according to experimental policies can be circumvented (Medium)Patched versions: ^18.18.2 || ^20.8.1==============================================================================
CVE-2023-39333(low): Code injection via WebAssembly export names (Low)Patched versions: ^18.18.2 || ^20.8.1==============================================================================
CVE-2023-46809(medium): A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel during PKCS#1 v1.5 padding error handling.Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-21891(medium): Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.Patched versions: ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-21890(medium): Improper handling of wildcards in --allow-fs-read and --allow-fs-writePatched versions: ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-21892(high): Code injection and privilege escalation through Linux capabilitiesPatched versions: ^18.19.1 || ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-22019(high): A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS).Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-21896(high): The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve().Patched versions: ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-22017(high): setuid() does not affect libuv/\'s internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid()Patched versions: ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-22025: A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.Patched versions: ^18.19.1 || ^20.11.1 || ^21.6.2==============================================================================
CVE-2024-27983(high): An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.Patched versions: ^18.20.1 || ^20.12.1 || ^21.7.2==============================================================================
CVE-2024-27982(medium): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.Patched versions: ^18.20.1 || ^20.12.1 || ^21.7.2==============================================================================
CVE-2024-36137(low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as `fs.fchown` or `fs.fchmod` can use a "read-only" file descriptor to change the owner and permissions of a file.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.Patched versions: ^20.15.1 || ^22.4.1==============================================================================
CVE-2024-22018(low): A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.lstat` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 22.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.Patched versions: ^20.15.1 || ^22.4.1==============================================================================
CVE-2024-22020(medium): A security flaw in Node.js allows a bypass of network import restrictions.By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.Patched versions: ^18.20.4 || ^20.15.1 || ^22.4.1==============================================================================
CVE-2024-37372: The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
This vulnerability affects Windows users of the Node.js Permission Model in version v20.x and v22.xPatched versions: ^20.15.1 || ^22.4.1==============================================================================
CVE-2025-23083(high): With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.
This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23Patched versions: ^20.18.2 || ^22.13.1 || ^23.6.1==============================================================================
CVE-2025-23085(medium): A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions.
This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.Patched versions: ^18.20.6 || ^20.18.2 || ^22.13.1 || ^23.6.1==============================================================================Yup! Lots of vulnerabilities in Node 20.5.1. Time to update to a more secure version.
For retro-compatibility enthusiasts: This module supports Node.js versions >= v0.12. However, npx does not work with those older versions, so you’ll need to install the package and run index.js manually. If you encounter errors when using npx, it’s likely because you’re using a vulnerable version of Node.js. Please consider upgrading.
The is-my-node-vulnerable package also provides a GitHub Action, just include the node-version in the yml file as follows in order to check a specific version.
name: "Node.js Vulnerabilities"on: schedule: - cron: "0 0 * * *"
jobs: is-my-node-vulnerable: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Check Node.js uses: nodejs/is-my-node-vulnerable@v1 with: node-version: "18.14.1"Keep your Node.js versions secure by making this check part of your routine. That’s all there is to it.
