CVE-2025-23087: 
Node.js vulnerability analysis and mitigation

CVE-2025-23087 has been issued to inform users about the security risks associated with using End-of-Life (EOL) versions of Node.js. This vulnerability specifically affects Node.js versions 17.x and prior, which are no longer supported and do not receive security updates or patches. The vulnerability was disclosed on January 21, 2025 (Node Blog, NVD).

The vulnerability is classified with CWE-1104 (Use of Unmaintained Third Party Components) and has received a CVSS v3.0 base score of 8.8 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical nature of this vulnerability stems from the continued use of unsupported Node.js versions that no longer receive security patches or updates (Red Hat).

The use of EOL versions may expose systems to potential security risks due to unaddressed software vulnerabilities or dependencies. This affects confidentiality, integrity, and availability of systems running these outdated versions, as indicated by the high impact scores across all three categories in the CVSS rating (NVD).

Users are advised to upgrade to actively supported versions of Node.js to ensure continued security updates and support. Currently supported versions include 23.x, 22.x, 20.x, and 18.x release lines (Node Blog, EOL Date).

The security community has noted this as a novel approach to using CVEs to highlight EOL software risks. Greg KH, a prominent figure in the open-source community, supported this initiative, suggesting it would be beneficial for other projects to follow suit, especially those that are CVE Numbering Authorities (OSS Security).