node:25-alpine ships openssl 3.5.5-r0 — any plans to rebuild with patched OpenSSL?

[Dharund008]

Hi,

I was currently using node:25-alpine as our base Docker image, and the container security scanner (AWS ECR) is reporting the following CVEs related to openssl:3.5.5-r0 included in the image:

CVE-2026-31790 (Moderate)
CVE-2026-2673 (Low)
CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789 (Low)

OpenSSL version 3.5.6, released on April 7, 2026, addresses these vulnerabilities. However, running apk upgrade openssl within the container does not result in any updates, which suggests that the patched version may not yet be available in the Alpine stable repositories used by this image (please correct me if I’m mistaken).

Could you please advise on the following:

Is there a plan to rebuild node:25-alpine once Alpine stable includes the patched OpenSSL version?
Is there an issue or tracking link we can follow for updates?

Thank you.

[MikeMcC399]

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V25.md#2026-02-10-version-2561-current-aduh95 shows that OpenSSL was updated to 3.5.5 in Node.js 25.6.1

I would expect the next release of Node.js 25 to have the OpenSSL 3.5.6 update included. Node.js 25 is now in maintenance mode, so there aren't any new releases expected.

nodejs/node#62629 has done the update and that will automatically be included in a future Node.js Docker build. The follow-on for Node.js 25 is Node.js 26. The update will probably not be in the first release v26.0.0 since there is already a build freeze in place.

You can find some general background information in the SECURITY document.

You can subscribe to Node.js releases by going to https://github.com/nodejs/node and selecting Watch -> Custom -> Releases. Check the release notes when they are available to see if the OpenSSL update is included.

[Dharund008]

Thank you !