Title: deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6 · Issue #63122 · nodejs/node · GitHub
Open Graph Title: deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6 · Issue #63122 · nodejs/node
X Title: deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6 · Issue #63122 · nodejs/node
Description: Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce the bug? docker pull node:24-alpine docke...
Open Graph Description: Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce t...
X Description: Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce t...
Opengraph URL: https://github.com/nodejs/node/issues/63122
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"deps: bundled OpenSSL 3.5.5 in v24.x has multiple CVEs, fixed in OpenSSL 3.5.6","articleBody":"### Version\n\nv24.15.0\n\n### Platform\n\n```text\nLinux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base.\n```\n\n### Subsystem\n\ndeps / openssl\n\n### What steps will reproduce the bug?\n\n1. `docker pull node:24-alpine`\n2. `docker run --rm node:24-alpine node -p \"process.versions.openssl\"`\n returns `3.5.5`.\n3. The OpenSSL 3.5.6 release notes\n (\u003chttps://github.com/openssl/openssl/releases/tag/openssl-3.5.6\u003e) list\n the seven CVEs fixed in that release; v24.x ships 3.5.5 and is\n therefore exposed:\n\n | CVE | Severity | CVSS |\n | --- | --- | --- |\n | [CVE-2026-31789](https://nvd.nist.gov/vuln/detail/CVE-2026-31789) | Critical | 9.8 |\n | [CVE-2026-28387](https://nvd.nist.gov/vuln/detail/CVE-2026-28387) | High | 8.1 |\n | [CVE-2026-28388](https://nvd.nist.gov/vuln/detail/CVE-2026-28388) | High | 7.5 |\n | [CVE-2026-28389](https://nvd.nist.gov/vuln/detail/CVE-2026-28389) | High | 7.5 |\n | [CVE-2026-28390](https://nvd.nist.gov/vuln/detail/CVE-2026-28390) | High | 7.5 |\n | [CVE-2026-31790](https://nvd.nist.gov/vuln/detail/CVE-2026-31790) | High | 7.5 |\n | [CVE-2026-2673](https://nvd.nist.gov/vuln/detail/CVE-2026-2673) | High | 7.5 |\n\n4. Optional, end-to-end repro via Amazon Inspector using the public\n [`aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1`](https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector)\n action with `artifact_type: container` and `artifact_path: node:24-alpine`\n reproduces all seven findings against `pkg:generic/openssl/openssl@3.5.5`\n with `Fixed Package: 3.5.6` and paths under\n `/usr/local/include/node/openssl/...`.\n\n\n### How often does it reproduce? Is there a required condition?\n\nReproducible against any v24.15.0 image.\n\n### What is the expected behavior? Why is that the expected behavior?\n\nA v24.x patch release that bumps `deps/openssl` from 3.5.5 to 3.5.6,\nclearing the seven CVEs.\n\n[OpenSSL 3.5.6](https://github.com/openssl/openssl/releases/tag/openssl-3.5.6)\nwas published 2026-04-07 with fixes for the CVEs above. Node v24.15.0\nwas published 2026-04-15, eight days after the OpenSSL release, but\nships OpenSSL 3.5.5 — pinned at `deps/openssl/openssl/VERSION.dat`:\n\n\u003chttps://github.com/nodejs/node/blob/848430679556aed0bd073f2bc263331ad84fa119/deps/openssl/openssl/VERSION.dat#L1-L3\u003e\n\nAs of 2026-05-04, no newer 24.x release has shipped, leaving downstream\nCVE-gating CI blocked on the bundled OpenSSL.\n\n### What do you see instead?\n\n`node -p \"process.versions.openssl\"` returns `3.5.5` in the `node:24-alpine` container.\n\n[inspector_scan_25270031181.pdf](https://github.com/user-attachments/files/27372715/inspector_scan_25270031181.pdf)\n\n### Additional information\n\n`gh pr list --repo nodejs/node --state open --search \"openssl in:title\"`\non 2026-05-04 shows no open `deps: upgrade openssl to 3.5.6` PR. If a\nv24.x release with OpenSSL 3.5.6 is already on the security release\nschedule, a pointer to the tracking issue would help.","author":{"url":"https://github.com/roger-pmta","@type":"Person","name":"roger-pmta"},"datePublished":"2026-05-04T18:53:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/63122/node/issues/63122"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:9a631bd0-6c4a-70b2-9828-bb8509e4c801 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | ED1A:3555CE:ABE2C5:E86250:6A4D51FE |
| html-safe-nonce | 0a89f4acc07ed9598b09ad4a02142e56519115b155bf6cd74407dcb17e609204 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFRDFBOjM1NTVDRTpBQkUyQzU6RTg2MjUwOjZBNEQ1MUZFIiwidmlzaXRvcl9pZCI6IjUyNjM4MzQ5OTY4OTY3ODA3OTgiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 8cbcdc6413a74f178ac7e09c568a6537b79cf7bc663813b3261c980a88fae2d1 |
| hovercard-subject-tag | issue:4378885292 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/63122/issue_layout |
| twitter:image | https://opengraph.githubassets.com/f0e237a190d4931ef62c12bb91a1f10f30cfd5e1d07f64ef6f2b7f0a51f6788a/nodejs/node/issues/63122 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/f0e237a190d4931ef62c12bb91a1f10f30cfd5e1d07f64ef6f2b7f0a51f6788a/nodejs/node/issues/63122 |
| og:image:alt | Version v24.15.0 Platform Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base. Subsystem deps / openssl What steps will reproduce t... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | roger-pmta |
| hostname | github.com |
| expected-hostname | github.com |
| None | 92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6 |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 56fc8347865a14e2ec811533d68f929cf4e0ec19 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width