Node.js 20.19.4 includes OpenSSL 3.0.15 which has known CVEs fixed in 3.0.16

[jiec-msft]

Version

v20.19.4

Platform

Linux CPC-jiec-GCIK3D 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

openssl

What steps will reproduce the bug?

I noticed that Node.js 20.19.4 LTS currently includes OpenSSL 3.0.15+quic (By running node -e "console.log('OpenSSL version:', process.versions.openssl)"). OpenSSL 3.0.16 was recently released with fixes for a couple of security vulnerabilities. I wanted to bring this to your attention in case it would be helpful to consider updating to the newer version.

How often does it reproduce? Is there a required condition?

OpenSSL 3.0.16 includes fixes for:

1. CVE-2024-13176 - GHSA-r9fv-h47r-823f
2. CVE-2024-9143 - GHSA-q764-r57m-9wp9

What is the expected behavior? Why is that the expected behavior?

Would it be possible to consider updating OpenSSL to version 3.0.16 in a future Node.js 20.x LTS patch release? I understand this would need to go through the normal testing and release process.

What do you see instead?

Currently, Node.js 20.x LTS latest version uses OpenSSL 3.0.15+quic

Additional information

Thank you!

[marco-ippolito]

We are updating to 3.0.16 in the next release schedule for next week #59551

[jiec-msft]

@marco-ippolito Cool, great to hear this!

[marco-ippolito]

v20.19.5 has been released https://nodejs.org/en/blog/release/v20.19.5 shipping openssl 3.0.16