Skip to content

Security Risk - Outdated Node.js Version (18.0.0) #22070

New issue
New issue
Open
Open
Security Risk - Outdated Node.js Version (18.0.0)#22070
Labels
area/guidesstatus/triageNeeds triage
@kristiyan-velkov

Description

@kristiyan-velkov
kristiyan-velkov
opened on Feb 20, 2025

Is this a docs issue?

  • My issue is about the documentation content or website

Type of issue

Other

Description

The project is currently using Node.js 18.0.0, which has multiple known security vulnerabilities and is not an LTS release.

Since its release on April 19, 2022, several security patches have been issued. Running an outdated version exposes the application to potential attacks.

Security Risks

  1. CVE-2022-32212 - HTTP Request Smuggling
  • The llhttp parser did not properly delimit HTTP requests, making it susceptible to smuggling attacks.
  • Fixed in Node.js 18.5.0
  1. Improper Certificate Validation
  • Weak certificate validation could allow man-in-the-middle (MITM) attacks.
  • Fixed in Node.js 18.16.1
  1. Access Restriction Bypass
  • Arbitrary code execution vulnerability due to improper validation of data: URLs.
  • Fixed in Node.js 18.17.1
  1. Use-After-Free Vulnerability
  • Improper memory handling leading to potential remote code execution.
  • Fixed in Node.js 18.14.1

Location

https://docs.docker.com/guides/nodejs/develop/

Suggestion

Upgrade Node.js to the latest LTS release (Node.js 22.14.0 or later)

ARG NODE_VERSION=22.14.0-alpine

Image

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    area/guidesstatus/triageNeeds triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions