P: Photoshop 2021 ships with an end of support version of NodeJS

I contacted online support and also tried ringing the helpline (ADB-20908315-W7H4 ) and was advised to post in here as I'm getting no joy online and this appears to be an issue that dates back some years.

I work in Cyber Security and have been tasked with ensuring all apps and programs installed on prem pass Microsoft's ATP

We have multiple installations of Photoshop which are fine, but there is a module attached (Node.Exe) which in installed in the (C:\Program Files\Adobe\Adobe Photoshop 2021) location which is flagged as an outdated version and fails several CVE's (CVE-2018-12121 Detail) is an example of the vulnerabilities of this version of Node.Exe.

Is there scope to update this to a supported version of NodeJs? Is this a false reading and have you worked with other security providers to negate the readings? Can I replace this exe with the latest version by pushing 14.6 over the top of the 8.1.1 installed in this location and will that have any adverse effects?

Or am I missing something really basic to update the Node that lives inside the Adobe folder?

The version of Photoshop is the latest version (22.5.0) and it will be in a Windows 10 platform

The version of Node.Exe you install is 8.1.1.4.0 dated 15/08/2018 06:37

Thanks in advance

I'm not sure I see the relevance, given that these functions are primarily used by scripts. That, however, would also likely prevent it from simply replacing it. When functions have changed, the scripts would no longer work or at least behave differently. Point in case: There's most definitely a specific reason Adobe are hanging on to this, be it just for legacy compatibility. If you're really concerned it may be simpler to just blacklist it, possibly at the cost of some stuff not working in PS. It's one of those things where you are caught between fire and flood and neither option is perfect.

Mylenium

The thing is, Adobe's node.js is set up so only Adobe's local apps can use it. So most of the vultnerabilities don't apply, because they are about attackers connecting to a web server where node.js is running. Like the one you mention "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer." I imagine Adobe look at each vulnerability report and decide if it is relevant in their bundled case. (I am just guessing though, and Adobe for sure won't say).

There is a security vulnerability with the node.exe application found under:

C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe

The Nodejs version installed with photoshop has reached end of support (version 8.11.4.0). Will this be updated as part of the Adobe Photoshop 2021 application so that there is not a vulnerability anymore?

Please see the below message from Windows Defender indicating that the product version has reached end up support

We also see this security vulnerability for nodejs.

Engineering is working on an update for Photoshop and Nodejs.

Hi all,

We're happy to announce the MAX 2021 release of Photoshop 23.0. This update includes the fix for this issue. To see the list of all fixed issues, click here

To update Photoshop to 23.0, click "Update" in the Creative Cloud desktop app next to Photoshop. More detailed instructions for updating

Let us know if the update resolves the problem for those affected and share your feedback with us.

Thanks,

Mohit