From 3807d28742600f9839fa75c4e0a8381a19fe73bf Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 28 Jan 2026 11:41:36 -0300
Subject: [PATCH 1/4] Blog: add OpenSSL Jan Sec Release Assessment

---
 ...enssl-fixes-in-regular-releases-jan2026.md | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md

diff --git a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
new file mode 100644
index 0000000000000..292d0aca2d4db
--- /dev/null
+++ b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
@@ -0,0 +1,83 @@
+---
+date: '2026-01-28T17:00:00.000Z'
+category: vulnerability
+title: OpenSSL Security Advisory Assessment, January 2026
+layout: blog-post
+author: The Node.js Project
+---
+
+## Summary
+
+The OpenSSL project released a security advisory that includes 12 CVEs.
+After assessment, we have concluded that three CVEs affect Node.js (severity Low to Moderate).
+Given the limited attack surface, the OpenSSL updates will be included in
+upcoming regular Node.js releases rather than dedicated security releases.
+
+## Analysis
+
+All three vulnerabilities relate to how Node.js processes PFX (PKCS#12) certificate files,
+which are used when configuring TLS connections via the `pfx` option.
+An attacker would need to provide a specially crafted PFX file to trigger any of these issues.
+Since PFX files typically come from trusted local sources (e.g., your own private keys
+and certificates), the attack surface is limited in practice.
+
+### CVE-2025-11187: Stack buffer overflow in PBMAC1 MAC verification - Moderate
+
+| Branch | OpenSSL Version | Affected |
+| ------ | --------------- | -------- |
+| v20.x  | 3.0.15          | No       |
+| v22.x  | 3.0.17          | No       |
+| v24.x  | 3.5.4           | Yes      |
+| v25.x  | 3.5.4           | Yes      |
+| main   | 3.5.4           | Yes      |
+
+OpenSSL 3.0 (used by v20.x and v22.x) does not support PBMAC1 and is therefore not affected.
+
+### CVE-2025-69421: NULL pointer dereference in PKCS12_item_decrypt_d2i_ex() - Low
+
+| Branch | OpenSSL Version | Affected |
+| ------ | --------------- | -------- |
+| v20.x  | 3.0.15          | Yes      |
+| v22.x  | 3.0.17          | Yes      |
+| v24.x  | 3.5.4           | Yes      |
+| v25.x  | 3.5.4           | Yes      |
+| main   | 3.5.4           | Yes      |
+
+This function is called internally by `PKCS12_parse()`. All branches are affected.
+
+### CVE-2026-22795: Type confusion during PKCS#12 parsing - Low
+
+| Branch | OpenSSL Version | Affected |
+| ------ | --------------- | -------- |
+| v20.x  | 3.0.15          | Yes      |
+| v22.x  | 3.0.17          | Yes      |
+| v24.x  | 3.5.4           | Yes      |
+| v25.x  | 3.5.4           | Yes      |
+| main   | 3.5.4           | Yes      |
+
+Both OpenSSL 3.0 and 3.5 are vulnerable. All branches are affected.
+
+## CVEs that do not affect Node.js
+
+The following 8 CVEs do not affect Node.js on any branch:
+
+- **CVE-2025-15467 (High, CMS AuthEnvelopedData):** Node.js does not use CMS APIs.
+- **CVE-2025-15468 (Low, SSL_CIPHER_find + QUIC):** Node.js never calls `SSL_CIPHER_find()`.
+- **CVE-2025-15469 (Low, openssl dgst truncation):** Command-line tool only.
+- **CVE-2025-66199 (Low, TLS 1.3 CompressedCertificate):** Node.js builds with `OPENSSL_NO_COMP` on all branches, so certificate compression is disabled.
+- **CVE-2025-68160 (Low, BIO_f_linebuffer):** Node.js does not use this BIO filter.
+- **CVE-2025-69418 (Low, low-level OCB):** Node.js uses the EVP API, which the advisory confirms avoids the vulnerable path.
+- **CVE-2025-69419 (Low, PKCS12_get_friendlyname):** Node.js does not call this function; the advisory notes `PKCS12_parse()` uses a separate safe path.
+- **CVE-2025-69420 (Low, TS_RESP_verify_response):** Node.js does not use timestamp protocol APIs.
+- **CVE-2026-22796 (Low, PKCS7_digest_from_attributes):** Node.js does not call PKCS#7 signature verification APIs.
+
+## Contact and future updates
+
+The current Node.js security policy can be found at <https://github.com/nodejs/node/security/policy#security>,
+including information on how to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at
+https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
+security vulnerabilities and security-related releases of Node.js and the
+projects maintained in the
+[nodejs GitHub organization](https://github.com/nodejs).

From a8fe8c6ad7afa72da85a06890bd32ec1360ce2f8 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Wed, 28 Jan 2026 14:25:12 -0300
Subject: [PATCH 2/4] Update
 apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
---
 .../vulnerability/openssl-fixes-in-regular-releases-jan2026.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
index 292d0aca2d4db..731c559934b99 100644
--- a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
+++ b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
@@ -59,7 +59,7 @@ Both OpenSSL 3.0 and 3.5 are vulnerable. All branches are affected.
 
 ## CVEs that do not affect Node.js
 
-The following 8 CVEs do not affect Node.js on any branch:
+The following 9 CVEs do not affect Node.js on any branch:
 
 - **CVE-2025-15467 (High, CMS AuthEnvelopedData):** Node.js does not use CMS APIs.
 - **CVE-2025-15468 (Low, SSL_CIPHER_find + QUIC):** Node.js never calls `SSL_CIPHER_find()`.

From c02a6033c57b8d11c5aba394be53c326041e9844 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 28 Jan 2026 15:27:36 -0300
Subject: [PATCH 3/4] fixup! Blog: add OpenSSL Jan Sec Release Assessment

---
 .../openssl-fixes-in-regular-releases-jan2026.md              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
index 731c559934b99..714ab383ab5ba 100644
--- a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
+++ b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
@@ -26,12 +26,12 @@ and certificates), the attack surface is limited in practice.
 | Branch | OpenSSL Version | Affected |
 | ------ | --------------- | -------- |
 | v20.x  | 3.0.15          | No       |
-| v22.x  | 3.0.17          | No       |
+| v22.x  | 3.5.4           | Yes      |
 | v24.x  | 3.5.4           | Yes      |
 | v25.x  | 3.5.4           | Yes      |
 | main   | 3.5.4           | Yes      |
 
-OpenSSL 3.0 (used by v20.x and v22.x) does not support PBMAC1 and is therefore not affected.
+OpenSSL 3.0 (used by v20.x) does not support PBMAC1 and is therefore not affected.
 
 ### CVE-2025-69421: NULL pointer dereference in PKCS12_item_decrypt_d2i_ex() - Low
 

From 11003773835a0324be3fa3b64c14fcbab72532e8 Mon Sep 17 00:00:00 2001
From: Rafael Gonzaga <rafael.nunu@hotmail.com>
Date: Wed, 28 Jan 2026 17:17:19 -0300
Subject: [PATCH 4/4] Apply suggestions from code review

Co-authored-by: Richard Lau <richard.lau@ibm.com>
Signed-off-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
---
 .../openssl-fixes-in-regular-releases-jan2026.md              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
index 714ab383ab5ba..5db7aee66ddda 100644
--- a/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
+++ b/apps/site/pages/en/blog/vulnerability/openssl-fixes-in-regular-releases-jan2026.md
@@ -38,7 +38,7 @@ OpenSSL 3.0 (used by v20.x) does not support PBMAC1 and is therefore not affecte
 | Branch | OpenSSL Version | Affected |
 | ------ | --------------- | -------- |
 | v20.x  | 3.0.15          | Yes      |
-| v22.x  | 3.0.17          | Yes      |
+| v22.x  | 3.5.4           | Yes      |
 | v24.x  | 3.5.4           | Yes      |
 | v25.x  | 3.5.4           | Yes      |
 | main   | 3.5.4           | Yes      |
@@ -50,7 +50,7 @@ This function is called internally by `PKCS12_parse()`. All branches are affecte
 | Branch | OpenSSL Version | Affected |
 | ------ | --------------- | -------- |
 | v20.x  | 3.0.15          | Yes      |
-| v22.x  | 3.0.17          | Yes      |
+| v22.x  | 3.5.4           | Yes      |
 | v24.x  | 3.5.4           | Yes      |
 | v25.x  | 3.5.4           | Yes      |
 | main   | 3.5.4           | Yes      |