Node.js
Node.js is the V8-based JavaScript runtime used for APIs, CLI tooling, and agent backends. CVE volume is large because upstream V8/libuv/OpenSSL exposures land as Node CVEs alongside core HTTP and permission mis-handling issues. Attestd filters NVD keyword results through cpe:2.3:a:nodejs:node.js. A merged second namespace (nodejs:nodejs) raises sentinel noise without helping eligibility, so ingestion uses the single canonical CPE prefix.
Querying Node.js
nodejs18.0.0, 22.14.0, semvercurl "https://api.attestd.io/v1/check?product=nodejs&version=18.0.0" \
-H "Authorization: Bearer $ATTESTD_KEY"Node.js 18.0.0 is an early patch level on the Node 18 LTS line that still overlaps multiple CVE ranges for HTTP/WebSocket/OpenSSL-era issues aggregated by NVD. Expect risk_state at high or elevated depending on classify thresholds once synthesis runs against live rows.
{
"product": "nodejs",
"version": "18.0.0",
"supported": true,
"risk_state": "high",
"risk_factors": [
"remote_code_execution",
"patch_available",
"internet_exposed_service"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "18.18.2",
"confidence": 0.86,
"cve_ids": ["CVE-2023-39332"],
"last_updated": "2026-02-23T18:21:30Z",
"supply_chain": null
}Node.js 22.14.0 has no known relevant vulnerabilities at the time of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=nodejs&version=22.14.0" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
Node.js CVEs blend core runtime faults with transitive dependencies surfaced as bundled releases. The example below illustrates a patched HTTP-stack issue class that frequently appears in production Node services.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2023-39332 | HTTP request smuggling / parsing weakness in Undici exposed via Node Fetch implementation path. | < 18.18.2 | 7.8 |