OSSEVA FOR NODE.JS

Node.js — patched, protected, operated.

Drop-in CVE patches for Node.js 14 through 20 — including EOL community versions no longer receiving upstream security fixes. HTTP/2 CONTINUATION flood, prototype pollution, and V8 engine vulnerabilities covered for the versions running in your production environment.

Book a Node.js DiscoverySee version coverage ↓
Last patch shipped: CVE-2026-31445 · Node.js 18.x · 35d ago

Why now

Node.js 14 and 16 are fully end-of-life

Node.js 14.x reached EOL in April 2023. Node.js 16.x reached EOL in September 2023. Together these versions power a significant fraction of enterprise Node.js deployments — with no upstream CVE patch path since EOL.

CVE-2026-31445 — HTTP/2 CONTINUATION flood in Node.js 18.x–20.x

An HTTP/2 CONTINUATION flood vulnerability disclosed in April 2026 affects Node.js 18.x and 20.x. The attack allows remote DoS via a stream of CONTINUATION frames without sending HEADERS. OSSeva shipped a patched build within 48 hours.

Node.js upgrade paths involve npm ecosystem compatibility risk

Moving from Node.js 14 to 18 or 20 requires validating every npm dependency against the new V8 engine and libuv version. For large microservice portfolios, that's a months-long compatibility validation exercise — not a weekend task.

Versions covered

All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.

VersionStatusActive CVEs
14.x (Fermium)(Full CVE coverage)EOLClean
16.x (Gallium)(Full CVE coverage)EOLClean
18.x (Hydrogen)(Maintenance LTS)Extended1 open
20.x (Iron)(Active LTS)CurrentClean
22.x (Jod)(Current)CurrentClean

What you get

Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.

OSSeva Patch

CVE patches for Node.js 14–20. V8 and libuv CVEs included.

  • Quarterly CVE patches for Node.js 14.x–20.x
  • V8 engine and libuv CVE coverage included
  • Docker / apt / yum / binary delivery
  • Signed artifacts (GPG)
  • CVE disclosure notifications
  • Architecture review
  • 24/7 managed operations
Get started →
Most popular

OSSeva Assure

Patch plus npm dependency scanning and compliance documentation.

  • Everything in Patch
  • npm dependency vulnerability scanning (transitive)
  • HTTP/2 and TLS configuration security review
  • SOC 2 / PCI DSS attestation package
  • Node.js version upgrade path planning
  • Container base image hardening review
  • 24/7 managed operations
Get started →

OSSeva Operate

Full MSP: 24/7 runtime monitoring, 15-min SLA, named Node engineers.

  • Everything in Assure
  • 24/7 process and cluster health monitoring
  • 15-minute P1 incident response SLA
  • Named senior Node.js engineer on your account
  • Event loop and memory leak alerting
  • PM2 / cluster mode operational support
  • Node.js major version migration execution
Get started →

All tiers priced per cluster/application — not per core. Contact for pricing →

How it installs

OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.

Docker — OSSeva Node.jsdockerfile
FROM artifacts.osseva.io/node:18.20.3-osseva-1-alpine

WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]
apt — install OSSeva Node.jsbash
# Add OSSeva apt repository
curl -fsSL https://packages.osseva.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/osseva.gpg
echo "deb [signed-by=/usr/share/keyrings/osseva.gpg] https://packages.osseva.io/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/osseva.list

sudo apt-get update
sudo apt-get install -y osseva-nodejs-18

Migrate from Community Node.js (EOL)

Node.js 14.x and 16.x are fully EOL with no upstream patches. Enterprises running large microservice portfolios on these versions face a multi-month compatibility validation exercise before they can upgrade. OSSeva provides CVE coverage for your current version on your upgrade timeline.

Pricing model

OSSeva for Node.js is priced per application runtime — not per core or per deployment instance. Contact for scoping.

Start migration scoping

Compliance library

📄SOC 2 Type II Attestation
Request →
📄Sample Audit Narrative
Request →
📄Pen-Test Report Summary
Request →
📄HIPAA Technical Safeguard Matrix
Request →

Frequently asked questions

Which versions of RabbitMQ are past community end-of-life?

RabbitMQ 3.8.x, 3.9.x, 3.10.x, 3.11.x, and 3.12.x have all reached community EOL — meaning no further security patches or CVE fixes are released by the RabbitMQ maintainers for those versions. RabbitMQ 3.13.x reached EOL in late 2024. OSSeva delivers backported CVE patches for 3.11 through 3.13.

Which PostgreSQL versions are no longer receiving community security patches?

PostgreSQL 9.6 through 13 have all reached community EOL. PostgreSQL 11 reached EOL November 2023, PostgreSQL 12 reached EOL November 2024, and PostgreSQL 13 reaches EOL November 2025. OSSeva provides extended security patching for PostgreSQL 11, 12, and 13 for teams that cannot immediately migrate to PG 14 or later.

Is Spring Framework 5.3.x still supported?

Spring Framework 5.3.x reached its community OSS EOL on December 31, 2024. Broadcom's commercial support for Spring 5.3.x is also no longer available under standard terms. OSSeva delivers backported CVE patches for Spring Framework 5.3.x and Spring Boot 2.7.x under our extended lifecycle support program.

Which versions of Apache Kafka are EOL?

Apache Kafka versions 2.x and 3.0 through 3.4 are past their community supported window, meaning no further patch releases. Kafka 3.5 and 3.6 have reached or are approaching EOL. OSSeva supports Kafka 2.8 through 3.5 with backported security patches and compliance documentation.

What happened to Redis licensing? Can I still use Redis for free?

In March 2024, Redis Ltd. changed the Redis license from BSD-3-Clause to the Business Source License (BSL 1.1), which restricts use in competing database products. The Valkey project (a Linux Foundation fork) continues under BSD-3-Clause. OSSeva maintains BSD-licensed, CVE-patched builds of Redis 6.2 and 7.0 for enterprises that need verifiable open-source licensing alongside security coverage.

Is Node.js 18 still receiving security patches?

Node.js 18 (LTS 'Hydrogen') reached its end-of-life date in April 2025 and no longer receives security releases from the Node.js project. OSSeva delivers CVE patches for Node.js 18 for enterprise teams that have not yet migrated to Node.js 20 or 22.

Is Apache Tomcat 8.5 still supported?

Apache Tomcat 8.5 reached its community EOL in March 2024. OSSeva provides extended security patching for Tomcat 8.5.x for teams running Java EE 7 workloads that cannot immediately migrate to Tomcat 9.0 or 10.1.

What .NET versions does OSSeva support?

.NET 6 reached Microsoft end-of-support in November 2024. .NET 7 reached EOL in May 2024. OSSeva delivers CVE patches for .NET 6 and .NET 7 for teams that have not yet migrated to .NET 8 (LTS, supported through November 2026).

Ready to get Node.js patched and supported?

Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.

Book Node.js Discovery