Externals node version needs upgrade CVE-2025-23083 CVE-2025-23090

[djs-intel]

Describe the bug

Wiz is detecting issues with the Node version included with the externals deployment, a newer version is required. The same output and remediation instructions are provided for CVE-2025-23083.

File //externals/node20/bin/node version 20.18.0 is vulnerable to CVE-2025-23090, which exists in versions >= 19, < 20.18.2.

The vulnerability was found in the VulnCheck NVD++ Database based on the CPE cpe:2.3:a:nodejs:node.js and the reporting CNA has assigned it severity: High.

The file is associated with the technology Node.js.

The vulnerability can be remediated by updating Node.js to 20.18.2 or higher.

To Reproduce Check externals version to see if <20.18.2

Expected behavior An update is required for the included Node version.

Runner Version and Platform

2.322.0 on Linux

OS of the machine running the runner? OSX/Windows/Linux/... Ubuntu 24.04

What's not working?

Wiz security scan detecting vulnerable Node.js version.

[jannek76]

Also there is CVE-2024-21538

https://github.com/actions/runner/blob/main/src/Misc/expressionFunc/hashFiles/package-lock.json

[Trivy] ../../../externals/node20/lib/node_modules/npm/node_modules/cross-spawn/package.json#L1 <CVE-2024-21538>(https://avd.aquasec.com/nvd/cve-2024-21538)

Package: cross-spawn
Installed Version: 7.0.3
Vulnerability CVE-2024-21538
Severity: HIGH
Fixed Version: 7.0.5, 6.0.6
Link: [CVE-2024-21538](https://avd.aquasec.com/nvd/cve-2024-21538)