Security Risk - Outdated Node.js Version (18.0.0)

[kristiyan-velkov]

Is this a docs issue?

• My issue is about the documentation content or website

Type of issue

Other

Description

The project is currently using Node.js 18.0.0, which has multiple known security vulnerabilities and is not an LTS release.

Since its release on April 19, 2022, several security patches have been issued. Running an outdated version exposes the application to potential attacks.

Security Risks

1. CVE-2022-32212 - HTTP Request Smuggling

• The llhttp parser did not properly delimit HTTP requests, making it susceptible to smuggling attacks.
• Fixed in Node.js 18.5.0

2. Improper Certificate Validation

• Weak certificate validation could allow man-in-the-middle (MITM) attacks.
• Fixed in Node.js 18.16.1

3. Access Restriction Bypass

• Arbitrary code execution vulnerability due to improper validation of data: URLs.
• Fixed in Node.js 18.17.1

4. Use-After-Free Vulnerability

• Improper memory handling leading to potential remote code execution.
• Fixed in Node.js 18.14.1

Location

https://docs.docker.com/guides/nodejs/develop/

Suggestion

Upgrade Node.js to the latest LTS release (Node.js 22.14.0 or later)

ARG NODE_VERSION=22.14.0-alpine