Saturday, 17 December, 2022 UTC


The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines.
Our assessment of the security advisory is:

X.509 Policy Constraints Double Locking (CVE-2022-3996)

Node.js doesn't call OpenSSL as a separate process (so the possibility to use the -policy flag is invalid), nor call the functions X509_VERIFY_PARAM_add0_policy()' and X509_VERIFY_PARAM_set1_policies()'. Therefore, Node.js is not affected by this vulnerability.

Contact and future updates

The current Node.js security policy can be found at, including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.