The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well
as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.

Analysis OpenSSL

Our assessment of the security advisory is:

Using a Custom Cipher with


may lead to NULL encryption (CVE-2022-3358)

Node.js doesn’t call

EVP_CIPHER_meth_new(NID_undef, ...)

. Therefore, Node.js is not affected by this vulnerability.

Analysis zlib

Our assessment of the CVE-2022-37434 is:

Buffer overflow in inflate via a large gzip header extra field

Node.js doesn’t call


. Therefore, Node.js is not affected by this vulnerability.

Further information, see: nodejs-dependency-vuln-assessments#50.

Node.js Vulnerability Assessment workflow

The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.

This initiative aims to reduce the gap between a dependency security release and a Node.js assessment.
The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the

Ensure to watch the repository if you are interested in security patches.

Contact and future updates

The current Node.js security policy can be found at,
including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at!forum/nodejs-sec to stay up to date on
security vulnerabilities and security-related releases of Node.js and the
projects maintained in the
Node.js GitHub organization.

Categories: Vulnerability


Leave a Reply

Your email address will not be published. Required fields are marked *