Node.js security risk - anyone know a fix?

Report · May 27, 2018

I ran a vulnerability scan with Kaspersky Internet Security and it says there are multiple vulnerabilities in node.js and the severity is high Kaspersky Threats — KLA11231

The version Adobe CC is using is very outdated at version 6.9.2.0 considering the latest version is 10.2.1.

I have downloaded the latest version but when you install it, it's placed in the program files directory. To try and get round this, in Adobe's installation folder, I replaced the 3 instances of 'node.exe' with the new version. Unfortunately, I don't believe this worked as I no longer see node.js running in task manager when I restart my PC.

I'd prefer to keep CC installed but considering the severity of cyber attacks that have been in the news over the past year, I'll have to uninstall it if no one knows of a fix. Any help would be much appreciated.

Report · May 29, 2018

Michelleh96024108, which specific Adobe product or service is your inquiry in relation too? What version of Adobe software do you currently have installed? What operating system are you installing the Adobe software on?

Report · May 29, 2018

It's in relation to Adobe Creative Cloud. The desktop application for it states it is the latest version. I am running Windows 10 Pro 64-bit, which is also fully up-to-date. The 3 locations of the application Node.js: Server-side JavaScript (which is the bit that is out-of-date and I want to update) are:

C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience\libs\node.exe

C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe

C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCLibrary\libs\node.exe

Report · May 29, 2018

Ok, thanks for the update and feedback, Michelleh96024108. I would recommend you keep your local security software up to date to prevent any security concerns.

To keep up to date on the latest updates implemented to the Adobe Creative Cloud desktop application see Release notes for the Adobe Creative Cloud desktop app .

Report · May 31, 2018

Thank you for trying to help. My security software is up-to-date and working properly. A 'vulnerability' scan is different to a virus/malware scan; so node.exe isn't anything malicious or a false positive. It means it is known to be vulnerable to be exploited by hackers. It's a 3rd-party javascript that Adobe use and the creators of it issued a security update 2 months ago, on 28th March. Searching through these forums this issue has come up a few times throughout the years, usually spotted by people running Secunia PSI. Perhaps because this software is discontinued maybe why the issue has gone unnoticed.

Unfortunately I'll have to wait for adobe's security team to patch this if there's no solution that can be implemented at the user's end so in the mean time I will keep an eye out in the release notes as you suggested. Thanks again.

Node.js security risk - anyone know a fix?

1 Correct answer