Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts

On January 22, 2025, CVE-2025-23088 was published by HackerOne to inform users about the risks of continuing to use End-of-Life (EOL) versions of Node.js. This CVE has quickly sparked debate in the security community, with some experts labeling it the “worst CVE of the year” – not for its severity, but for the controversy surrounding its validity.

The CVE states that older versions of Node.js, which have reached their EOL and are no longer supported, pose potential risks due to unpatched vulnerabilities and outdated dependencies. It advises users to upgrade to actively supported versions to ensure ongoing security updates and support. While the warning may seem reasonable at first glance, critics argue that it sets a dangerous precedent for what constitutes a CVE.

The Node.js team explained in a recent blog post that issuing a CVE for EOL versions was intended to provide users with a clear and standardized notification about the risks of running unsupported software. They emphasized that this approach ensures organizations relying on automated tools and vulnerability scanning can recognize EOL versions as a potential security risk and take action accordingly.

The team cited Node.js v16 being downloaded 11 million times per month, despite having been EOL for more than a year. This widespread usage of unsupported versions of Node.js is a legitimate concern but the controversy is around whether it’s helpful for Node.js to use CVEs as an avenue for mitigating the issue. Does this usage of the CVE program scale if every widely used open source project were to issue CVEs for EOL versions?

In the GitHub discussion on the issue Node.js collaborator and TSC member Michael Dawson suggested that publishing EOL versions as a CVE “would be a more reliable way of having it be recognized as a risk.”

Resource constraints within the Node.js project have also influenced the decision, with limited capacity to evaluate vulnerabilities in outdated versions while prioritizing active releases.

"The Node.js project issued a CVE for all EOL releases due to limited resources for evaluating each past version," Node.js TSC Vice-Chair Matteo Collina said. "With current funding focused on maintaining the security of active releases, the EOL versions contain multiple vulnerabilities. This CVE serves to raise awareness of the security risks associated with using outdated Node.js versions—ensure your environments are running supported versions."

A Systemic Issue or a Necessary PSA?#

Cisco Threat Detection and Response Engineer Jerry Gamblin recently brought attention to the CVE on LinkedIn, calling it “the worst CVE of the year.” He speculated that the purpose of HackerOne filing the CVE was to give bug bounty hunters a way to claim Node.js applications as "vulnerable" without identifying actual vulnerabilities, thereby creating unnecessary noise in the CVE system.

The backlash centers around the nature of the CVE itself. By definition, CVEs are meant to document specific vulnerabilities, but CVE-2025-23088 appears to be more of a general public service announcement (PSA) about using unsupported software.

“Using software that is not well supported is a CWE [Common Weakness Enumeration], not a CVE,” Gil Yehuda commented on LinkedIn.

Several industry leaders have raised concerns about the long-term implications of treating EOL announcements as CVEs. Michael Lieberman, co-founder and CTO of Kusari, commented, “A security risk (e.g., EOL) is not in and of itself a vulnerability. At best, it causes confusion; at worst, it devalues a system that is already being hit from every angle.”

HackerOne Responds to Controversial Node.js EOL Versions CVE#

HackerOne, the Certified Numbering Authority (CNA) responsible for managing CVEs for Node.js, responded to the criticism. Alex Rice, Founder and CTO of HackerOne, explained, “We sought guidance from MITRE, and, for better or worse, this is encouraged today. It didn’t feel correct to enforce a different stance from MITRE.”

Rice acknowledged the mixed feelings within the community but noted that as Node.js’ CNA, HackerOne is obligated to follow MITRE’s lead in issuing CVEs, even for EOL announcements.

Impacts on the Vulnerability Ecosystem#

The decision to publish this CVE has left many in the industry frustrated with what they see as a misuse of the CVE system.

“At best, it is a mistake; at worst, it is an abuse of the CVE system, which is already seeing massive growth of legitimate vulnerabilities,” Jerry Gamblin commented.

"At the end of the day this is a hypothetical CVE," Chainguard CEO Dan Lorenc said. "We have enough real vulnerabilities and real CVEs; we don’t need hypothetical ones.”

Hardik Cholera, a Cyber Threat and Vulnerability Management Specialist, echoed these concerns, calling it “a complete misuse of CVE logging process.” He suggested that such CVEs should fall under a new “Informational EOL” category rather than being logged alongside real vulnerabilities.

“Yes, the classic ‘CVE-as-a-service’ move,” NST Cyber CTO Arun T. commented. “Nothing screams ‘critical vulnerability’ like ‘your tech is old.’ Unfortunately, compliance doesn’t care about the irony—high severity means remediation is mandatory.”

Without the context of the Node.js TSC’s discussion on raising awareness, the decision to issue a CVE for EOL versions appears to many security experts as an unnecessary inflation of the CVE database, undermining its purpose by categorizing general risks as vulnerabilities.

“There is a perverse incentive to submit BS, junk CVEs that has been furthered by bounty programs,” AboutCode CTO Philippe Ombredanne commented. “This is pure churn and useless busywork imposed on everyone.”

The Need for Clearer CVE Guidelines#

This debate comes at a time when the vulnerability management ecosystem is already grappling with challenges like CVSS score inflation and the growing noise in vulnerability databases.

Experts worry that CVEs like this may erode trust in the system, making it harder to prioritize real security risks. Some experts believe the Node.js EOL CVE is a symptom of a larger problem with how the industry handles vulnerability reporting.

The uproar around CVE-2025-23088 has reignited calls for clearer definitions and guidelines on what qualifies as a CVE. While the intention of the Node.js team and HackerOne may have been to raise awareness about security risks, the resulting controversy highlights the need for a more thoughtful approach to vulnerability reporting.