• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

node.exe and node.js flagged as unsecure

Community Beginner ,
Aug 05, 2015 Aug 05, 2015

Copy link to clipboard

Copied

The files node.exe and node.js are installed as part of the Photoshop CC suite as part of the Creative Cloud component.

The version of node.exe currently installed is 0.10.36.0. According to Secunia PSI, the file is located at:

     C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\libs\node.exe

Secunia PSI flags this version of node.exe as not secure and vulnerable to malware, and advises me to install version 0.10.40, which I believe is the latest available (and secure) version. My copy of Photoshop CC was recently updated to version 2015.0.1. I was hoping that the secure version of node.exe might have been included in the updated, but the old unsecure version is still there.

I don't want to manually update any module that's part of a larger installation, out of a concern that it could "break" something else. However, I currently have to set Secunia PSI to Ignore this program to avoid repeated warnings about it.

Are there any plans to update the Photoshop CC installation to incorporate the secure (0.10.40) version of node.exe?

--Larry

Views

10.8K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe
Adobe Employee ,
Aug 20, 2015 Aug 20, 2015

Copy link to clipboard

Copied

Hi Larry,

Thanks for reporting this issue. We will update it inside Photoshop in our next update. The CC Libraries team has also been notified.

Thanks,

Jeff

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 13, 2017 Feb 13, 2017

Copy link to clipboard

Copied

This continues to be a problem. The node.js versions included with new Creative Cloud updates are never secure as detected by Secunia PSI.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 15, 2018 Jun 15, 2018

Copy link to clipboard

Copied

Same problem here. Node libraries are still in vulnerable versions.

I suggest to disable all node occourencies until Adobe secure it in next updates (still affected in may 2018 updates of Photoshop, Cloud Desktop and Dreamweaver), by renaming files.
The "export as" function has gone in Photoshop, but everything seems to work ... also it works better and faster without useless node libraries.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 14, 2021 Aug 14, 2021

Copy link to clipboard

Copied

and again a problem in 2021.

An exploitable outdated version.

please fix it again

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 23, 2023 Jan 23, 2023

Copy link to clipboard

Copied

Node.js needs another update in Photoshop 2023 24.1.1.238. Please provide guidance on resolving CVE-2022-32223.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 23, 2023 Jan 23, 2023

Copy link to clipboard

Copied

@Burke IT Staff 

 

these are user forums. please clarify your post.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 02, 2023 Feb 02, 2023

Copy link to clipboard

Copied

My apologies for not being more clear. The version of Node.js that comes with the latest version of Adobe Photoshop has security vulnerabilities and needs to be patched, which is the subject of this forum post. Users can be directly impacted by threat actors exploiting CVE-2022-32223. Is there another place I should post this concern? If so, should this entire thread be moved to a different location?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Feb 02, 2023 Feb 02, 2023

Copy link to clipboard

Copied

Instead of fearmongering, why don't you contact the Adobe Security Team? The version of node that is bundled with Adobe products may or may not be vulnerable, there could be modifications that mitigate any attack. None of us has enough information to determine whether an update is required (unless you have a CVE number or statement from Adobe saying that their version is affected.)

https://helpx.adobe.com/security/alertus.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 03, 2023 Feb 03, 2023

Copy link to clipboard

Copied

That is not fearmongering. Burke has a legitimate question and this is not a new vulnerability. Considering this situation has not improved in eight years, a valid reason to bring it up.

The root issue is (as indicated before) Adobe releases have already-outdated versions of software, and it is not patching it on time.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 03, 2023 Feb 03, 2023

Copy link to clipboard

Copied

I have brought this up with the Adobe security team. Unfortunately, I get a standard "thank you for bringing this to our attention" response. I'm sorry you think that I'm fearmongering. I'm just doing my job.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Feb 03, 2023 Feb 03, 2023

Copy link to clipboard

Copied

Adobe has no interest in keeping background software current... apart from the skill | time needed it would make installing on old systems harder

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 03, 2023 Feb 03, 2023

Copy link to clipboard

Copied

LATEST
100% with you, and it is shameful.
I hope someone from Adobe reads this, but I won't hold my breath

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 24, 2015 Sep 24, 2015

Copy link to clipboard

Copied

My Creative Cloud applications were updated this morning, and I see that node.js has been updated to version 0.10.40.0. I and Secunia PSI are happy campers.

Thank you!

--Larry

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Apr 13, 2016 Apr 13, 2016

Copy link to clipboard

Copied

With the most recent update of the Creative Cloud component, Secunia PSI is once again glowing red and indicating that the installed version of node.js is out-of-date, unsecure, and vulnerable to malware. The version just installed was 4.3.0.0; the secure version is 4.4.2 or later.

Please notify your programmers of this, and ask them to make sure they keep up with the newest and safest versions of the components they use!

I'm looking forward to making Secunia PSI happy and my PC safe again.

--Larry

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 17, 2016 Apr 17, 2016

Copy link to clipboard

Copied

I second the request to have "Creative Cloud" update node.js - MY Secunia is glowing red, also 🙂

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 20, 2016 Apr 20, 2016

Copy link to clipboard

Copied

Node.Js version 4.3.0.0 that came with the latest CC released was released early February. You should use the latest release or let us update node.js separately to avoid vulnerabilities.

Maybe Adobe should have a word with the guys at Secunia....

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Apr 21, 2016 Apr 21, 2016

Copy link to clipboard

Copied

I have this issue as well (Node.js version 4.3.0.0 installed by CC is flagged as insecure by Secunia).

Two (sets of) questions:

  1. Has anyone tried updating this copy of node.js independently of the CC update? If so, how did you do the update and did it cause any issues with CC?
  2. What processes associated with CC use node.js? It appears to be Photoshop related; if I don't have Photoshop CC, could I just remove the node.exe? If node.js is only used for a CC product I don't have installed, why is it installed along with CC?

Thanks for any insights . . .

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 16, 2016 Aug 16, 2016

Copy link to clipboard

Copied

I am showing an installed version of 4.4.3 and getting a message that it is insecure.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 19, 2016 Aug 19, 2016

Copy link to clipboard

Copied

Like Douglas I would be happy if I could get rid of the node.js Server.

It's always using around 20% CPU on my notebook, so the fan is always running on a higher/louder level. Even if I don't use any Adobe app. It's pretty annoying.

If I kill it in task manager it will start up again soon after. Even if the Creative Cloud App is not running.

What is it used for?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines