The OpenSSL Security releases of May 3 2022 affects Node.js 17.x and 18.x but highest serverity is “Low”
Our assessment of the security advisory is:
Node.js doesn’t use or ship the
script. Therefore, Node.js is not affected
The Node.js doesn’t call
with the custom flag
is not affected.
Node.js does not compile with
, therefore, Node.js is not affected.
Node.js 17.x and 18.x are affected by this CVE which is rated “Low”.
Given this assessment, the OpenSSL updates for Node.js will be delievered through the regular
Node.js release cycle with releases scheduled by the end of May.
The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security,
including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
security vulnerabilities and security-related releases of Node.js and the
projects maintained in the
nodejs GitHub organization.