ÃÛ¶¹ÊÓƵ

Documentation

Resolving Node.js 14.x vulnerability in AEM On-Premise

Last update: Mon Jun 30 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

This article explains how to resolve a security issue caused by an outdated Node.js 14.x installation in an AEM on-premise environment running on Red Hat Enterprise Linux (RHEL). Although the development environment uses Node.js 16, the system still contains the older Node.js 14 package, which triggers alerts from security scanners. To address this issue, remove or disable the outdated package.

Description description

Environment

Product: ÃÛ¶¹ÊÓƵ Experience Manager (AEM) On-Premise, v6.5
Operating System: Red Hat Enterprise Linux (RHEL)

Issue

  • Security scanners detect a vulnerability due to Node.js 14.x, which reached end-of-life on April 30, 2023.
  • The system still contains the outdated Node.js binary at /opt/rh/rh-nodejs14/root/usr/bin/node.
  • The development environment uses Node.js 16, but the old version remains installed at the OS level.
  • Scanners flag the issue by checking the Node.js version and runtime configuration.

Resolution resolution

To resolve the issue, follow these steps:

  • Ensure that AEM processes use Node.js 16 by running node -v in the application environment. Also, check that no processes or build steps invoke the legacy Node.js 14 binary.
  • Check if the Node.js 14 installation is managed as part of RHEL’s package set. Review RHEL documentation to confirm whether security updates or backported patches are available. Some vendors continue to provide maintenance patches even after the official end-of-life.
  • Remove the legacy Node.js 14 package if it’s no longer in use and no maintenance updates are available, to reduce the system’s attack surface and improve overall security.
  • Update deployment documentation to reflect the use of the Node.js 16 binary. Resolve any mismatches between OS-level installations and application-level runtime environments to prevent false-positive vulnerability reports.
  • Confirm that the reported vulnerabilities originate from the OS-level Node.js installation, not from your updated codebase.

Following these steps helps eliminate outdated software risks and keeps your AEM on-premise environment secure and compliant.

Security Best Practices for AEM 6.5

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f