Node.js and OpenSSL vulnerability

James_R_Talich · August 12, 2025, 9:37pm

From mlettau, Oct 2024, It appears that the EPIC system includes OpenSSL. However, when I search through the Firmware 4 release notes I don’t see it. I included nodered because the OpenCVE database includes CVE-2023-46809. Can someone elaborate on how OpenSSL is included in the firmware and whether the cited vulnerability is an issue for the EPIC system?

Jonathan_Fischer · August 12, 2025, 11:57pm

That particular CVE was fixed in Node.js in version 20.11.1. It’s part of a large collection of potential issues collectively called the Marvin Attack; the OpenSSL specific portion was fixed in version 3.0.8. As of GRV-EPIC firmware version 4.0.1 we’re shipping OpenSSL version 3.0.14.