Node20 Externals Version needs upgrade [CVE-2025-23083, CVE-2025-2309]

**Describe the bug**
Security scanning of the default installation method results in:
* [CVE-2025-23083](https://nvd.nist.gov/vuln/detail/CVE-2025-23083)
* [CVE-2025-2309](https://nvd.nist.gov/vuln/detail/CVE-2025-23090)
being tripped based on the current version of Node JS 20 set in externals.

**To Reproduce**
Steps to reproduce the behavior:

- Take latest installation from releases including runtimes and externals. Example: actions-runner-linux-x64-2.322.0.tar.gz
- Uncompress
- Run security scan (e.g. Wiz)
- Expected behavior
- Clean security report

## Runner Version and Platform
v2.322.0

## OS of the machine running the runner? OSX/Windows/Linux/...
Linux

## What's not working?
```
CPE vulnerabilities:
    Name: cpe:2.3:a:nodejs:node.js, Version: 20.18.0, Path: /externals/node20/bin/node
        CVE-2025-23083, Severity: HIGH, Source: https://vulncheck.com/browse/cve/CVE-2025-23083
            🩹 Fixed version: 20.18.2
        CVE-2025-23090, Severity: HIGH, Source: https://vulncheck.com/browse/cve/CVE-2025-23090
            🩹 Fixed version: 20.18.2

Vulnerable packages: CRITICAL: 0, HIGH: 1, MEDIUM: 0, LOW: 0, INFORMATIONAL: 0
    Total: 1
Vulnerabilities: CRITICAL: 0, HIGH: 2, MEDIUM: 0, LOW: 0, INFORMATIONAL: 0
    Total: 2, out of which 2 are fixable
Directories scanned: 1053, Files scanned: 4568
Scan results: PASSED. Directory meets policy requirements
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Node20 Externals Version needs upgrade [CVE-2025-23083, CVE-2025-2309] #3685

Runner Version and Platform

OS of the machine running the runner? OSX/Windows/Linux/...

What's not working?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development