All EOL Alerts CVE Watch Migration Guides Tool Obituaries Deprecation Cloud EOL AI & MLOps Abandonware
Home EOL Alerts Node.js 25 Is EOL: June 1, 2026 – Your Containers and CI Pipelines Are Running an Unpatched Runtime Right Now
🔴 CRITICAL 🔴 EOL Alerts EOL: 2026-06-01

Node.js 25 Is EOL: June 1, 2026 – Your Containers and CI Pipelines Are Running an Unpatched Runtime Right Now

Node.js 25 reached end of life on June 1, 2026. It was never an LTS release. If it’s in your containers, CI pipelines, or Lambda layers, it is now permanently unpatched and you may not know it’s there.

EOL Date: 2026-06-01 · Affected: 25.x · Security patches stop permanently at this date.
Decaying Node.js 25 runtime sphere fragmenting in dark space, red EOL status in JetBrains Mono | EOLRadar

You are probably running Node.js 25 somewhere in your stack without realising it. It reached end of life on June 1, 2026. As a short-lived odd-numbered Current release, Node.js 25 hides in base images pulled during rapid feature cycles, in developer-authored Dockerfiles that never got pinned to an LTS tag, and in CI pipelines where someone reached for “latest” six months ago. No further security patches will be issued for Node.js 25.x under any circumstances, the release window is closed permanently.

⚠️ Node.js 25 EOL passed on June 1, 2026. No CVE patches, no backports, no exceptions. Any workload still running 25.x is permanently exposed from this date forward.


What Node.js 25 EOL Actually Means

Node.js 25 was a Current release, not an LTS release. That distinction matters operationally: it received active support for approximately six months from its release date, with no Long Term Support window following it. When a Current release hits its EOL date, the cutoff is absolute, there is no commercial extended support tier, no paid patch option from the Node.js project, and no grace period.

PhaseDatesWhat Changes
Current (Active)~October 2025 – April 2026Full patch coverage, CVE response, semver-minor features
MaintenanceApril 2026 – June 1, 2026Security and critical bug fixes only
End of LifeJune 1, 2026 →Zero patches. No CVE response. No backports.

Source: Node.js Release Schedule — https://nodejs.org/en/about/releases/

“Still runs” and “permanently unpatched” are not the same operational state. Node.js 25.x will continue executing your workloads without complaint. The runtime does not self-destruct at EOL. What ends is the security response cycle: any vulnerability discovered in the V8 engine, libuv, the http module, or any bundled dependency from June 1, 2026 onward will not receive a patch targeting Node.js 25. That exposure accumulates silently until something exploits it.

Post-EOL CVE status: No CVEs have been publicly disclosed against Node.js 25 specifically for the post-EOL window as of June 2026. This does not mean no vulnerabilities exist, it means none have been documented yet. The V8 engine and libuv receive vulnerability disclosures on an ongoing basis; without an active release line, those disclosures simply will not produce a 25.x patch.

Source: Node.js Security Policy — https://github.com/nodejs/node/blob/main/SECURITY.md


Node.js 25 Is Hiding in Your Stack — Where to Find It

The highest-risk vector for Node.js 25 is not deliberate adoption, it is drift. Engineers who wanted the latest V8 features or ESM improvements pulled 25.x during its active window and never revisited the base image tag.

Docker and Container Images

Scan your running containers and local images first.

# Find all running containers using Node.js 25.x
docker ps -q | xargs -I {} docker exec {} node --version 2>/dev/null | grep "^v25\."

# Scan all local images for node:25 references
docker images --format "{{.Repository}}:{{.Tag}}" | grep "node:25"

# Broader scan — catch unpinned or aliased tags
docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "node:(25|current|latest)"
# Scan Dockerfiles recursively in your repo tree
grep -r "FROM node:25" . --include="Dockerfile*"
grep -r "FROM node:current" . --include="Dockerfile*"
grep -r "node:latest" . --include="Dockerfile*"

The node:current and node:latest tags on Docker Hub are the primary drift vectors. At time of Node.js 25’s active window, node:current resolved to 25.x. Any image built without a pinned digest during that period may still be running 25.x in production.

Source: Docker Hub Node.js official image — https://hub.docker.com/_/node

CI/CD Pipelines

Node version declarations in pipeline config are frequently set once and forgotten.

# GitHub Actions — scan workflow files
grep -r "node-version" .github/workflows/ | grep "25"

# Also catch unpinned "current" or "latest" node version references
grep -r "node-version" .github/workflows/ | grep -E "(current|latest)"
# Example of the drift pattern to find and replace
# BEFORE — what you may have in .github/workflows/ci.yml
- uses: actions/setup-node@v4
  with:
    node-version: '25'          # ← EOL as of 2026-06-01

# AFTER — pin to active LTS
- uses: actions/setup-node@v4
  with:
    node-version: '22'          # Node.js 22 LTS (Jod)
# GitLab CI — scan for node image references
grep -r "image: node" .gitlab-ci.yml
grep -r "node:25" . --include="*.yml" --include="*.yaml"

# Jenkins — scan Jenkinsfiles
grep -r "nodejs" Jenkinsfile* 2>/dev/null
grep -r "tool.*node" Jenkinsfile* 2>/dev/null

.nvmrc and .node-version Files

These are the quietest drift vectors — set by a developer, committed, and never revisited.

# Find all .nvmrc files pinned to 25
find . -name ".nvmrc" -exec grep -l "25" {} \;
find . -name ".node-version" -exec grep -l "25" {} \;

# Check package.json engines field
cat package.json | jq '.engines.node'
# If you're using Volta
cat package.json | jq '.volta.node'

Lambda and Serverless Runtimes

AWS Lambda does not offer a Node.js 25 managed runtime, AWS Lambda runtime support tracks LTS releases only. If you deployed a custom runtime or container image using Node.js 25, the Lambda container image scan path applies.

[INTERNAL LINK: /aws-lambda-nodejs-runtime-eol/]

# AWS CLI — list Lambda functions and their runtimes
aws lambda list-functions \
  --query "Functions[*].[FunctionName,Runtime]" \
  --output table | grep nodejs

# For container-image Lambda functions, the runtime is in the image —
# use the Docker scan commands above against your ECR repositories
aws ecr describe-images \
  --repository-name your-repo \
  --query "imageDetails[*].imageTags"

Node.js Release Lifecycle — Where 25 Fits

Understanding the odd/even cadence prevents this problem recurring.

ReleaseTypeLTS StartEOL
Node.js 20 (Iron)LTSOctober 2023 April 30, 2026
Node.js 21CurrentOctober 2023 June 1, 2024
Node.js 22 (Jod)LTSOctober 2025April 30, 2027
Node.js 23CurrentOctober 2024June 1, 2025
Node.js 24 (Krypton)LTSOctober 2025April 30, 2028
Node.js 25Current ~October 2025June 1, 2026

Source: Node.js Release Schedule — https://nodejs.org/en/about/releases/

Node.js 25 followed the standard Current release pattern: approximately 6 months of active support, no LTS promotion, hard EOL at the 6-month mark. This is not an anomaly, it is how every odd-numbered Node.js release works. Node.js 21, 23, and 25 all had identical lifecycle shapes. If you adopted Node.js 25 for its V8 features or experimental ESM improvements, the migration path is to Node.js 24, which entered LTS in October 2025 and carries those same features forward with a supported lifecycle through April 2028.

⚠️ Node.js 20 (Iron) also reached EOL on April 30, 2026 — 32 days before Node.js 25. If you are auditing for 25.x, run the same scans for 20.x simultaneously. Read it here – https://eolradar.com/node-js-20-end-of-life-2026/


Migration Path — Node.js 25 to Node.js 24 LTS

Target: Node.js 24 (Krypton). Node.js 24 entered LTS in October 2025 and is supported through April 30, 2028. It carries the same V8 engine improvements and ESM stability work that made Node.js 25 attractive during its active window.

Breaking Changes to Verify

[VERIFY: Pull the official Node.js 25 → 24 migration notes from https://github.com/nodejs/node/blob/main/doc/changelogs/ and confirm the following table entries against the actual release changelog before publishing.]

AreaChangeMigration Action
V8 engineConfirm V8 version delta between 25.x and 24.xTest against your V8-dependent native addons
--experimental-* flagsFlags promoted or removed between releasesAudit startup scripts and package.json scripts
npm bundled versionnpm version shipped with 25 vs 24 may differRun npm --version after upgrade; check lockfile compatibility
Native addons (N-API) N-API version support — confirm node-pre-gyp rebuilds npm rebuild after version switch

Source: Node.js Changelog — https://github.com/nodejs/node/blob/main/CHANGELOG.md

Dockerfile Migration

# BEFORE — Node.js 25 (EOL June 1, 2026)
FROM node:25-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
CMD ["node", "server.js"]
# AFTER — Node.js 24 LTS (Krypton, EOL April 30, 2028)
FROM node:24-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
CMD ["node", "server.js"]

Pin to a digest for production images — the tag node:24-alpine will advance as patch releases land:

# Get the current digest for node:24-alpine to pin in production
docker pull node:24-alpine
docker inspect node:24-alpine --format='{{index .RepoDigests 0}}'
# Production-grade pinned form
FROM node:24-alpine@sha256:<digest-from-above>

Local Validation Before Promoting

# Switch with nvm
nvm install 24
nvm use 24
node --version   # Confirm v24.x.x

# Run your test suite against 24 before touching CI
npm ci
npm test

# Check for deprecation warnings emitted at startup
node --pending-deprecation server.js 2>&1 | grep -i deprecat

# Rebuild native addons
npm rebuild

# Verify no engines field blocking upgrade
node -e "const p = require('./package.json'); console.log(p.engines)"
# .nvmrc update
echo "24" > .nvmrc

# Volta pin
volta pin node@24

Compliance Implications

Running an EOL runtime is a documented compliance risk under SOC 2 Type II, PCI-DSS 4.0, and ISO 27001:2022. Each framework approaches it differently, but the underlying requirement is consistent: systems processing or transmitting in-scope data must run software that receives security updates.

FrameworkRelevant ControlWhat Auditors Check
SOC 2 Type IICC7.1 — Detection and MonitoringEvidence of patch management process; EOL software flags as gap
PCI-DSS 4.0Req 6.3.3 — Security patchesAll software must be protected from known vulnerabilities; EOL fails this by definition
ISO 27001:2022A.8.8 — Management of technical vulnerabilitiesRegister of software versions; EOL software requires documented compensating control or remediation

Source: PCI Security Standards Council — https://www.pcisecuritystandards.org/document_library/
Source: ISO/IEC 27001:2022 — https://www.iso.org/standard/27001

The documentation requirement for auditors has three acceptable paths:

  1. Migration: documented evidence of upgrade to a supported runtime (preferred path)
  2. Risk acceptance: signed-off risk register entry with compensating controls documented (WAF rules, network isolation, enhanced monitoring), acceptable for short windows, not indefinitely
  3. Commercial extended support: Node.js has no commercial extended support tier from the core project; if your vendor provides this (e.g., via an enterprise Node.js distribution), that contract must be current and documented

The risk acceptance path has a practical shelf life. Auditors accept it for 30–90 days with evidence of active migration work. After that window, unpatched EOL software with no migration plan is a finding, not a compensating control.


FAQ

When did Node.js 25 reach end of life?

Node.js 25 reached end of life on June 1, 2026. It was a short-lived Current release, odd-numbered Node.js releases receive approximately six months of active support with no LTS promotion. The EOL date is fixed and no extensions are available – Source: https://nodejs.org/en/about/releases/

What happens to workloads running Node.js 25 after June 1, 2026?

They continue running, the runtime does not fail at EOL. What stops is the security patch cycle. Any CVE disclosed against the V8 engine, libuv, or Node.js core modules after June 1, 2026 will not produce a 25.x patch. Your workload accumulates unpatched exposure until you migrate or decommission it.

How do I find Node.js 25 in my container images?

Run docker ps -q | xargs -I {} docker exec {} node --version 2>/dev/null | grep "^v25\." against running containers. For images, use docker images --format "{{.Repository}}:{{.Tag}}" | grep "node:25". Also scan Dockerfiles recursively: grep -r "FROM node:25" . --include="Dockerfile*".

Which version should I migrate to from Node.js 25?

Migrate to Node.js 24 (Krypton), which entered LTS in October 2025 and is supported through April 30, 2028. It carries the same V8 and ESM improvements present in Node.js 25. Do not migrate to Node.js 22 unless your codebase has compatibility constraints, Node.js 22 is also LTS but Node.js 24 is the current active LTS line.

Is Node.js 25 still safe to run after June 1, 2026?

No. “Safe” is a function of patch coverage, not runtime stability. Node.js 25 runs without errors after EOL, but any vulnerability discovered from June 1, 2026 onward will not be patched. In PCI-DSS and SOC 2 contexts, running it on in-scope infrastructure is a compliance gap from day one of EOL.

Did AWS Lambda support Node.js 25?

No. AWS Lambda managed runtimes track Node.js LTS releases only. Node.js 25 was never an available Lambda managed runtime. If you deployed a Lambda container image using a Node.js 25 base image, that container image is now running an EOL runtime and the Lambda managed runtime deprecation timeline does not apply, your container image migration is your responsibility. Source: AWS Lambda Runtimes — https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html


The Deadline That Already Passed — Act in the Next Sprint

Node.js 25 EOL is not upcoming, it passed on June 1, 2026. Every day your 25.x workloads run from this point, they accumulate unpatched exposure against a closed release line. The migration to Node.js 24 LTS is not architecturally complex, it is a base image swap, a .nvmrc update, and a test pass. The risk is in not knowing you have it.

  • [ ] Run Docker container scan: docker ps -q | xargs -I {} docker exec {} node --version 2>/dev/null | grep "^v25\."
  • [ ] Scan all Dockerfiles: grep -r "FROM node:25" . --include="Dockerfile*"
  • [ ] Scan CI pipeline configs for node-version: '25' or node:25 image references
  • [ ] Find all .nvmrc and .node-version files pinned to 25
  • [ ] Check package.json engines and volta fields
  • [ ] Scan ECR / container registry for images built from node:25 or node:current
  • [ ] Update base images to node:24-alpine or node:24-bookworm-slim
  • [ ] Run npm rebuild for native addon dependencies after version switch
  • [ ] Execute full test suite against Node.js 24 before promoting to production
  • [ ] Update .nvmrc to 24 and commit
  • [ ] Update CI matrix to remove Node.js 25, add Node.js 24
  • [ ] Add a compliance note to your risk register documenting the migration completion date
  • [ ] While you’re here: run the same scans for Node.js 20.x — it EOL’d April 30, 2026 [INTERNAL LINK: /node-js-20-end-of-life-2026/]

Get notified before the next EOL deadline hits your stack. The Deprecation Digest covers upcoming EOL dates, CVE intersections, and migration guides — every Tuesday. Subscribe free →


Sources and Citations

Node.js Release Schedule (official lifecycle dates, phase definitions): https://nodejs.org/en/about/releases/

Node.js Security Policy (patch scope, EOL patch commitment): https://github.com/nodejs/node/blob/main/SECURITY.md

Node.js Changelog (version-by-version release notes and breaking changes): https://github.com/nodejs/node/blob/main/CHANGELOG.md

Docker Hub — Official Node.js Image (tag behaviour, current and latest resolution): https://hub.docker.com/_/node

AWS Lambda Runtimes (supported Node.js runtime versions): https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html

endoflife.date — Node.js (machine-readable EOL dates for all active and EOL versions): https://endoflife.date/nodejs

PCI Security Standards Council — PCI-DSS 4.0 Document Library: https://www.pcisecuritystandards.org/document_library/

ISO/IEC 27001:2022 — Information Security Management: https://www.iso.org/standard/27001

Tags: container-runtime-eol current-release-eol eol-2026 javascript-runtime node-js-25 node-js-eol node-js-migration npm-runtime odd-numbered-release
The Deprecation Digest

Never miss an EOL deadline

Weekly: 1 urgent EOL alert · CVE Watch · migration spotlight.
Every Tuesday. Free forever. No spam.

By subscribing you agree to receive The Deprecation Digest. Privacy Policy.

No spam · Unsubscribe anytime

🔔 Watch these tools

Get notified when we publish migration guides, CVE alerts, or EOL deadlines for the tools you run.

By submitting you agree to receive EOL alerts for selected tools. Privacy Policy.