The OpenJS Foundation is pleased to share the results of the recent Node.js security audit conducted by Ada Logics, in collaboration with the Open Source Technology Improvement Fund (OSTIF).

Objectives of the Audit

The primary goal of this audit, conducted in late November and December 2023, was to improve Node.js's fuzzing ecosystem and enhance project documentation through a comprehensive threat modeling exercise. Fuzzing is critical in identifying vulnerabilities by testing software's behavior under unexpected inputs. Improving the fuzzing setup seeks to bolster Node.js's security and performance.

Ada Logics' extensive fuzzing experience enabled them to tackle several issues, including fixing a long-broken OSS-Fuzz build, adding three new ClusterFuzzLite integrations for Node.js dependencies, and introducing 48 new fuzzers to the existing suite. They also documented four security findings identified by the fuzzers.

The audit's outcomes have had an immediate and measurable impact on the Node.js project. Following the audit, code coverage of the src folder increased by at least 18.1%, with an additional 1,400 functions analyzed. Coverage is expected to continue growing, allowing Node.js to benefit from more comprehensive bug reporting and coverage insights.

With these improvements, Node.js can expect fuller and more expansive coverage in its fuzzing efforts, allowing maintainers to respond promptly to vulnerabilities identified by the new fuzzing suite. Additionally, the deeper understanding gained from this audit will inform future security needs and priorities.

Those interested in the detailed findings and methodologies can read the full Audit Report here.

We remain dedicated to keeping Node.js a secure and reliable platform for developers everywhere. This partnership between the OpenJS Foundation, OSTIF, Ada Logics, and the Sovereign Tech Fund (STF) highlights our ongoing efforts to strengthen the open source ecosystem. Thank you for your continued support.