CVE to EOL lines: Tracking Issue

[RafaelGSS]

Until we find a better place to have it listed, let's use this issue to track the CVE issues for EOL versions of Node.js.

Release line	CVE ID	CVE issued at
<= v17.x	CVE-2025-23087	Schedule to next sec release
v19.x	CVE-2025-23088	Schedule to next sec release
v21.x	CVE-2025-23089	Schedule to next sec release

v19.x
v21.x

cc: @nodejs/security-release

[richardlau]

Any reason to start at 14? Can we do 17 and all earlier versions as one CVE?

[RafaelGSS]

Any reason to start at 14? Can we do 17 and all earlier versions as one CVE?

Sure, I thought about issuing CVE for v14 <= and then a new one of each one of the release lines listed but starting on v17 makes sense. I'll update the description.