Chromium CVEs in nodejs 20.x series

[HarinadhD]

Hi,
Nodejs 20.18.1(20.x series) using V8(chromium) version 11.3.244.8, Which is vulnerable to below list of CVEs.
CVE List :
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-4949 CVSS score : 9.6
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7024 CVSS score : 9.3
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-3079 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-3216 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-3420 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-2724 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-4352 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-4355 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-4762 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2023-6702 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-1939 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-2625 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-3156 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-4761 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-4947 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5158 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5274 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5833 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-8905 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-9121 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-9122 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7022 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-8904 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-8638 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7970 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-8194 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7965 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7971 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7969 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7535 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-7550 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-6779 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-6772 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-6773 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-3168 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5838 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5830 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5837 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-5841 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-3159 CVSS score : 8.8
CVE : https://nvd.nist.gov/vuln/detail/CVE-2024-2887 CVSS score : 8.1

CVE-2024-0517 fixed in chromium version 120.0.6099.224 .

https://nvd.nist.gov/vuln/detail/cve-2024-2887.
Fix : Check for type-definition count limit : https://chromium-review.googlesource.com/c/v8/v8/+/5378419/2/src/wasm/module-decoder-impl.h#664 - seems to be addressed in nodejs 22.x series.

Not addressing chromium (V8) CVEs has any impact for nodejs ?
If there is any impact, why it is not addressed yet in nodejs LTS version 20.18.1 ?

Thanks,
Harinadh D

[sshedi]

Hi @jdalton and @rubys any inputs on the above query? Tagging you directly for your attention cause the query shows CVEs are scored high.

[mhdawson]

@HarinadhD a bunch of these have already been asked about/answered in https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues. Can you go through both open/closed issues to cross check against your list.