René's URL Explorer Experiment


Title: deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6 · Issue #63122 · nodejs/node · GitHub

Open Graph Title: deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6 · Issue #63122 · nodejs/node

X Title: deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6 · Issue #63122 · nodejs/node

Description: Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce the bug? docker pull node:24-alpine docke...

Open Graph Description: Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce t...

X Description: Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce t...

Opengraph URL: https://github.com/nodejs/node/issues/63122

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6","articleBody":"### Version\n\nv24.15.0\n\n### Platform\n\n```text\nLinux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base.\n```\n\n### Subsystem\n\ndeps / openssl\n\n### What steps will reproduce the bug?\n\n1. `docker pull node:24-alpine`\n2. `docker run --rm node:24-alpine node -p \"process.versions.openssl\"`\n   returns `3.5.5`.\n3. The OpenSSL 3.5.6 release notes\n   (\u003chttps://github.com/openssl/openssl/releases/tag/openssl-3.5.6\u003e) list\n   the seven CVEs fixed in that release; v24.x ships 3.5.5 and is\n   therefore exposed:\n\n   | CVE | Severity | CVSS |\n   | --- | --- | --- |\n   | [CVE-2026-31789](https://nvd.nist.gov/vuln/detail/CVE-2026-31789) | Critical | 9.8 |\n   | [CVE-2026-28387](https://nvd.nist.gov/vuln/detail/CVE-2026-28387) | High | 8.1 |\n   | [CVE-2026-28388](https://nvd.nist.gov/vuln/detail/CVE-2026-28388) | High | 7.5 |\n   | [CVE-2026-28389](https://nvd.nist.gov/vuln/detail/CVE-2026-28389) | High | 7.5 |\n   | [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390) | High | 7.5 |\n   | [CVE-2026-31790](https://nvd.nist.gov/vuln/detail/CVE-2026-31790) | High | 7.5 |\n   | [CVE-2026-2673](https://nvd.nist.gov/vuln/detail/CVE-2026-2673)   | High | 7.5 |\n\n4. Optional, end-to-end repro via Amazon Inspector using the public\n   [`aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1`](https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector)\n   action with `artifact_type: container` and `artifact_path: node:24-alpine`\n   reproduces all seven findings against `pkg:generic/openssl/openssl@3.5.5`\n   with `Fixed Package: 3.5.6` and paths under\n   `/usr/local/include/node/openssl/...`.\n\n\n### How often does it reproduce? Is there a required condition?\n\nReproducible against any v24.15.0 image.\n\n### What is the expected behavior? Why is that the expected behavior?\n\nA v24.x patch release that bumps `deps/openssl` from 3.5.5 to 3.5.6,\nclearing the seven CVEs.\n\n[OpenSSL 3.5.6](https://github.com/openssl/openssl/releases/tag/openssl-3.5.6)\nwas published 2026-04-07 with fixes for the CVEs above. Node v24.15.0\nwas published 2026-04-15, eight days after the OpenSSL release, but\nships OpenSSL 3.5.5 — pinned at `deps/openssl/openssl/VERSION.dat`:\n\n\u003chttps://github.com/nodejs/node/blob/848430679556aed0bd073f2bc263331ad84fa119/deps/openssl/openssl/VERSION.dat#L1-L3\u003e\n\nAs of 2026-05-04, no newer 24.x release has shipped, leaving downstream\nCVE-gating CI blocked on the bundled OpenSSL.\n\n### What do you see instead?\n\n`node -p \"process.versions.openssl\"` returns `3.5.5` in the `node:24-alpine` container.\n\n[inspector_scan_25270031181.pdf](https://github.com/user-attachments/files/27372715/inspector_scan_25270031181.pdf)\n\n### Additional information\n\n`gh pr list --repo nodejs/node --state open --search \"openssl in:title\"`\non 2026-05-04 shows no open `deps: upgrade openssl to 3.5.6` PR. If a\nv24.x release with OpenSSL 3.5.6 is already on the security release\nschedule, a pointer to the tracking issue would help.","author":{"url":"https://github.com/roger-pmta","@type":"Person","name":"roger-pmta"},"datePublished":"2026-05-04T18:53:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/63122/node/issues/63122"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:9a631bd0-6c4a-70b2-9828-bb8509e4c801
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idED1A:3555CE:ABE2C5:E86250:6A4D51FE
html-safe-nonce0a89f4acc07ed9598b09ad4a02142e56519115b155bf6cd74407dcb17e609204
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFRDFBOjM1NTVDRTpBQkUyQzU6RTg2MjUwOjZBNEQ1MUZFIiwidmlzaXRvcl9pZCI6IjUyNjM4MzQ5OTY4OTY3ODA3OTgiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmac8cbcdc6413a74f178ac7e09c568a6537b79cf7bc663813b3261c980a88fae2d1
hovercard-subject-tagissue:4378885292
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/63122/issue_layout
twitter:imagehttps://opengraph.githubassets.com/f0e237a190d4931ef62c12bb91a1f10f30cfd5e1d07f64ef6f2b7f0a51f6788a/nodejs/node/issues/63122
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/f0e237a190d4931ef62c12bb91a1f10f30cfd5e1d07f64ef6f2b7f0a51f6788a/nodejs/node/issues/63122
og:image:altVersion v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce t...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameroger-pmta
hostnamegithub.com
expected-hostnamegithub.com
None92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6
turbo-cache-controlno-preview
go-importgithub.com/nodejs/node git https://github.com/nodejs/node.git
octolytics-dimension-user_id9950313
octolytics-dimension-user_loginnodejs
octolytics-dimension-repository_id27193779
octolytics-dimension-repository_nwonodejs/node
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id27193779
octolytics-dimension-repository_network_root_nwonodejs/node
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release56fc8347865a14e2ec811533d68f929cf4e0ec19
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/nodejs/node/issues/63122#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F63122
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fissues%2F63122
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=nodejs%2Fnode
Reloadhttps://github.com/nodejs/node/issues/63122
Reloadhttps://github.com/nodejs/node/issues/63122
Reloadhttps://github.com/nodejs/node/issues/63122
Please reload this pagehttps://github.com/nodejs/node/issues/63122
nodejs https://github.com/nodejs
nodehttps://github.com/nodejs/node
Please reload this pagehttps://github.com/nodejs/node/issues/63122
Notifications https://github.com/login?return_to=%2Fnodejs%2Fnode
Fork 36k https://github.com/login?return_to=%2Fnodejs%2Fnode
Star 118k https://github.com/login?return_to=%2Fnodejs%2Fnode
Code https://github.com/nodejs/node
Issues 1.4k https://github.com/nodejs/node/issues
Pull requests 958 https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality 0 https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
Code https://github.com/nodejs/node
Issues https://github.com/nodejs/node/issues
Pull requests https://github.com/nodejs/node/pulls
Actions https://github.com/nodejs/node/actions
Projects https://github.com/nodejs/node/projects
Security and quality https://github.com/nodejs/node/security
Insights https://github.com/nodejs/node/pulse
deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6https://github.com/nodejs/node/issues/63122#top
https://github.com/roger-pmta
roger-pmtahttps://github.com/roger-pmta
on May 4, 2026https://github.com/nodejs/node/issues/63122#issue-4378885292
https://github.com/openssl/openssl/releases/tag/openssl-3.5.6https://github.com/openssl/openssl/releases/tag/openssl-3.5.6
CVE-2026-31789https://nvd.nist.gov/vuln/detail/CVE-2026-31789
CVE-2026-28387https://nvd.nist.gov/vuln/detail/CVE-2026-28387
CVE-2026-28388https://nvd.nist.gov/vuln/detail/CVE-2026-28388
CVE-2026-28389https://nvd.nist.gov/vuln/detail/CVE-2026-28389
CVE-2026-28390https://nvd.nist.gov/vuln/detail/CVE-2026-28390
CVE-2026-31790https://nvd.nist.gov/vuln/detail/CVE-2026-31790
CVE-2026-2673https://nvd.nist.gov/vuln/detail/CVE-2026-2673
aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector
OpenSSL 3.5.6https://github.com/openssl/openssl/releases/tag/openssl-3.5.6
node/deps/openssl/openssl/VERSION.dathttps://github.com/nodejs/node/blob/848430679556aed0bd073f2bc263331ad84fa119/deps/openssl/openssl/VERSION.dat#L1-L3
8484306https://github.com/nodejs/node/commit/848430679556aed0bd073f2bc263331ad84fa119
inspector_scan_25270031181.pdfhttps://github.com/user-attachments/files/27372715/inspector_scan_25270031181.pdf
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.