Version
v24.15.0
Platform
Linux, x86_64. Image: `node:24-alpine`, digest `sha256:d1b3b4da11eefd59...`, last pushed 2026-04-16, alpine 3.23 base.
Subsystem
deps / openssl
What steps will reproduce the bug?
-
docker pull node:24-alpine
-
docker run --rm node:24-alpine node -p "process.versions.openssl"
returns 3.5.5.
-
The OpenSSL 3.5.6 release notes
(https://github.com/openssl/openssl/releases/tag/openssl-3.5.6) list
the seven CVEs fixed in that release; v24.x ships 3.5.5 and is
therefore exposed:
-
Optional, end-to-end repro via Amazon Inspector using the public
aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
action with artifact_type: container and artifact_path: node:24-alpine
reproduces all seven findings against pkg:generic/openssl/openssl@3.5.5
with Fixed Package: 3.5.6 and paths under
/usr/local/include/node/openssl/....
How often does it reproduce? Is there a required condition?
Reproducible against any v24.15.0 image.
What is the expected behavior? Why is that the expected behavior?
A v24.x patch release that bumps deps/openssl from 3.5.5 to 3.5.6,
clearing the seven CVEs.
OpenSSL 3.5.6
was published 2026-04-07 with fixes for the CVEs above. Node v24.15.0
was published 2026-04-15, eight days after the OpenSSL release, but
ships OpenSSL 3.5.5 — pinned at deps/openssl/openssl/VERSION.dat:
As of 2026-05-04, no newer 24.x release has shipped, leaving downstream
CVE-gating CI blocked on the bundled OpenSSL.
What do you see instead?
node -p "process.versions.openssl" returns 3.5.5 in the node:24-alpine container.
inspector_scan_25270031181.pdf
Additional information
gh pr list --repo nodejs/node --state open --search "openssl in:title"
on 2026-05-04 shows no open deps: upgrade openssl to 3.5.6 PR. If a
v24.x release with OpenSSL 3.5.6 is already on the security release
schedule, a pointer to the tracking issue would help.
Version
v24.15.0
Platform
Subsystem
deps / openssl
What steps will reproduce the bug?
docker pull node:24-alpinedocker run --rm node:24-alpine node -p "process.versions.openssl"returns
3.5.5.The OpenSSL 3.5.6 release notes
(https://github.com/openssl/openssl/releases/tag/openssl-3.5.6) list
the seven CVEs fixed in that release; v24.x ships 3.5.5 and is
therefore exposed:
Optional, end-to-end repro via Amazon Inspector using the public
aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1action with
artifact_type: containerandartifact_path: node:24-alpinereproduces all seven findings against
pkg:generic/openssl/openssl@3.5.5with
Fixed Package: 3.5.6and paths under/usr/local/include/node/openssl/....How often does it reproduce? Is there a required condition?
Reproducible against any v24.15.0 image.
What is the expected behavior? Why is that the expected behavior?
A v24.x patch release that bumps
deps/opensslfrom 3.5.5 to 3.5.6,clearing the seven CVEs.
OpenSSL 3.5.6
was published 2026-04-07 with fixes for the CVEs above. Node v24.15.0
was published 2026-04-15, eight days after the OpenSSL release, but
ships OpenSSL 3.5.5 — pinned at
deps/openssl/openssl/VERSION.dat:node/deps/openssl/openssl/VERSION.dat
Lines 1 to 3 in 8484306
As of 2026-05-04, no newer 24.x release has shipped, leaving downstream
CVE-gating CI blocked on the bundled OpenSSL.
What do you see instead?
node -p "process.versions.openssl"returns3.5.5in thenode:24-alpinecontainer.inspector_scan_25270031181.pdf
Additional information
gh pr list --repo nodejs/node --state open --search "openssl in:title"on 2026-05-04 shows no open
deps: upgrade openssl to 3.5.6PR. If av24.x release with OpenSSL 3.5.6 is already on the security release
schedule, a pointer to the tracking issue would help.