P: Photoshop 2021 ships with an end of support version of NodeJS

5 Votes
LEGEND ,
Jun 04, 2021 Jun 04, 2021

Copy link to clipboard

Copied

Photoshop 2021 ships with an end of support version of NodeJS that is currently vulnerable to a number of vulnerabilities that will not be fixed. This then results in vulnerability warnings in Microsoft Defender and other vulnerability scanning tools.

C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe: v8.11.1

 

I attempted to talk to both Adobe Customer Support and Security Operations about this, and this is my last resort.

For others experiencing the same problem, I am aware that the node.exe executable can be deleted, or even upgrade NodeJS in place - I did want to bring this to Adobe's notice just on the off chance they can rev Node in a future update.

Bug Fixed
TOPICS
macOS, Windows

Views

274

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Oct 26, 2021 Oct 26, 2021
Hi all,   We're happy to announce the MAX 2021 release of Photoshop 23.0. This update includes the fix for this issue. To see the list of all fixed issues, click here   To update Photoshop to 23.0, click "Update" in the Creative Cloud desktop app next to Photoshop. More detailed instructions for updating   Let us know if the update resolves the problem for those affected and share your feedback with us.   Thanks, Mohit
Status Fixed

Votes

Translate

Translate
7 Comments
New Here ,
Sep 02, 2021 Sep 02, 2021

Copy link to clipboard

Copied

I contacted online support and also tried ringing the helpline (ADB-20908315-W7H4 ) and was advised to post in here as I'm getting no joy online and this appears to be an issue that dates back some years.

I work in Cyber Security and have been tasked with ensuring all apps and programs installed on prem pass Microsoft's ATP

 

We have multiple installations of Photoshop which are fine, but there is a module attached (Node.Exe) which in installed in the (C:\Program Files\Adobe\Adobe Photoshop 2021) location which is flagged as an outdated version and fails several CVE's (CVE-2018-12121 Detail) is an example of the vulnerabilities of this version of Node.Exe.

 

Is there scope to update this to a supported version of NodeJs? Is this a false reading and have you worked with other security providers to negate the readings? Can I replace this exe with the latest version by pushing 14.6 over the top of the 8.1.1 installed in this location and will that have any adverse effects?

 

Or am I missing something really basic to update the Node that lives inside the Adobe folder?

 

The version of Photoshop is the latest version (22.5.0) and it will be in a Windows 10 platform

The version of Node.Exe you install is 8.1.1.4.0 dated 15/08/2018 06:37

Thanks in advance

 

Votes

Translate

Translate

Report

Report
Adobe Community Professional ,
Sep 02, 2021 Sep 02, 2021

Copy link to clipboard

Copied

I'm not sure I see the relevance, given that these functions are primarily used by scripts. That, however, would also likely prevent it from simply replacing it. When functions have changed, the scripts would no longer work or at least behave differently. Point in case: There's most definitely a specific reason Adobe are hanging on to this, be it just for legacy compatibility. If you're really concerned it may be simpler to just blacklist it, possibly at the cost of some stuff not working in PS. It's one of those things where you are caught between fire and flood and neither option is perfect.

 

Mylenium

Votes

Translate

Translate

Report

Report
LEGEND ,
Sep 02, 2021 Sep 02, 2021

Copy link to clipboard

Copied

The thing is, Adobe's node.js is set up so only Adobe's local apps can use it. So most of the vultnerabilities don't apply, because they are about attackers connecting to a web server where node.js is running. Like the one you mention "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer." I imagine Adobe look at each vulnerability report and decide if it is relevant in their bundled case. (I am just guessing though, and Adobe for sure won't say).

Votes

Translate

Translate

Report

Report
New Here ,
Sep 16, 2021 Sep 16, 2021

Copy link to clipboard

Copied

There is a security vulnerability with the node.exe application found under:

C:\Program Files\Adobe\Adobe Photoshop 2021\node.exe

The Nodejs version installed with photoshop has reached end of support (version 8.11.4.0). Will this be updated as part of the Adobe Photoshop 2021 application so that there is not a vulnerability anymore?

 

Please see the below message from Windows Defender indicating that the product version has reached end up support

Takayuki5EB4_0-1631821515725.jpeg

Takayuki5EB4_1-1631821566321.jpeg

 

 

Votes

Translate

Translate

Report

Report
New Here ,
Oct 21, 2021 Oct 21, 2021

Copy link to clipboard

Copied

We also see this security vulnerability for nodejs.

Votes

Translate

Translate

Report

Report
Adobe Employee ,
Oct 21, 2021 Oct 21, 2021

Copy link to clipboard

Copied

Engineering is working on an update for Photoshop and Nodejs.


Senior Product Manager - Customer Advocacy - Digital Imaging
Bug Started

Votes

Translate

Translate

Report

Report
Adobe Employee ,
Oct 26, 2021 Oct 26, 2021

Copy link to clipboard

Copied

LATEST

Hi all,

 

We're happy to announce the MAX 2021 release of Photoshop 23.0. This update includes the fix for this issue. To see the list of all fixed issues, click here

 

To update Photoshop to 23.0, click "Update" in the Creative Cloud desktop app next to Photoshop. More detailed instructions for updating

 

Let us know if the update resolves the problem for those affected and share your feedback with us.

 

Thanks,

Mohit

Bug Fixed

Votes

Translate

Translate

Report

Report