Skip to main content
F
FeedbackCommunityMember
Inspiring
June 4, 2021

P: Photoshop 2021 ships with an end of support version of NodeJS

  • June 4, 2021
  • 4 replies
  • 12819 views

Photoshop 2021 ships with an end of support version of NodeJS that is currently vulnerable to a number of vulnerabilities that will not be fixed. This then results in vulnerability warnings in Microsoft Defender and other vulnerability scanning tools.

C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe: v8.11.1

 

I attempted to talk to both Adobe Customer Support and Security Operations about this, and this is my last resort.

For others experiencing the same problem, I am aware that the node.exe executable can be deleted, or even upgrade NodeJS in place - I did want to bring this to Adobe's notice just on the off chance they can rev Node in a future update.

    This topic has been closed for replies.

    4 replies

    Mohit Goyal
    Community Manager
    Mohit GoyalCommunity Manager
    Community Manager
    October 26, 2021

    Hi all,

     

    We're happy to announce the MAX 2021 release of Photoshop 23.0. This update includes the fix for this issue. To see the list of all fixed issues, click here

     

    To update Photoshop to 23.0, click "Update" in the Creative Cloud desktop app next to Photoshop. More detailed instructions for updating

     

    Let us know if the update resolves the problem for those affected and share your feedback with us.

     

    Thanks,

    Mohit

    J
    J453
    Legend
    October 21, 2021

    Engineering is working on an update for Photoshop and Nodejs.

    T
    taka5eb45
    Participant
    September 16, 2021

    There is a security vulnerability with the node.exe application found under:

    C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe

    The Nodejs version installed with photoshop has reached end of support (version 8.11.4.0). Will this be updated as part of the Adobe Photoshop 2021 application so that there is not a vulnerability anymore?

     

    Please see the below message from Windows Defender indicating that the product version has reached end up support

     

     

      it i95923425
      it i95923425
      Participant
      October 21, 2021

      We also see this security vulnerability for nodejs.

      D
      defaultsf5de7mkuexn
      Participant
      September 2, 2021

      I contacted online support and also tried ringing the helpline (ADB-20908315-W7H4 ) and was advised to post in here as I'm getting no joy online and this appears to be an issue that dates back some years.

      I work in Cyber Security and have been tasked with ensuring all apps and programs installed on prem pass Microsoft's ATP

       

      We have multiple installations of Photoshop which are fine, but there is a module attached (Node.Exe) which in installed in the (C:\Program Files\Adobe\Adobe Photoshop 2021) location which is flagged as an outdated version and fails several CVE's (CVE-2018-12121 Detail) is an example of the vulnerabilities of this version of Node.Exe.

       

      Is there scope to update this to a supported version of NodeJs? Is this a false reading and have you worked with other security providers to negate the readings? Can I replace this exe with the latest version by pushing 14.6 over the top of the 8.1.1 installed in this location and will that have any adverse effects?

       

      Or am I missing something really basic to update the Node that lives inside the Adobe folder?

       

      The version of Photoshop is the latest version (22.5.0) and it will be in a Windows 10 platform

      The version of Node.Exe you install is 8.1.1.4.0 dated 15/08/2018 06:37

      Thanks in advance

       

      Mylenium
      Mylenium
      Legend
      September 2, 2021

      I'm not sure I see the relevance, given that these functions are primarily used by scripts. That, however, would also likely prevent it from simply replacing it. When functions have changed, the scripts would no longer work or at least behave differently. Point in case: There's most definitely a specific reason Adobe are hanging on to this, be it just for legacy compatibility. If you're really concerned it may be simpler to just blacklist it, possibly at the cost of some stuff not working in PS. It's one of those things where you are caught between fire and flood and neither option is perfect.

       

      Mylenium

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices