Summary

Tenable has updated the Node.js module enumeration plugins to reduce false positives and to better identify vulnerabilities when multiple packages are present on the scan target.

Change

Before this update, the Node.js module enumeration plugins did not attempt to associate detected packages with an RPM or DEB package managed by the Linux distribution. This would cause some packages to report vulnerabilities both based on a Linux distribution vendor’s advisory and a CVE advisory from the Node.js module maintainer.

In addition, some Node.js installations on macOS that originated from third-party package managers, or from source, were not detected by the Node.js detection plugin. This would prevent the Node.js module enumeration plugin from running on those macOS assets.

In some cases, a large volume of Node.js modules detected would cause the enumeration plugin to crash when attempting to report the list of modules in plugin output.

After this update, these issues have been addressed. Vulnerable Node.js modules on Linux assets will be assessed to determine if they are managed by a Linux distribution’s package manager, and if so, will be marked as “Managed” and will not report a vulnerability, unless the Show potential false alarms setting is enabled for the scan. 

Node.js installs on Windows and macOS that were not previously detected due to the installation method will now be detected, and their installed modules will be enumerated.

The module enumeration plugins will no longer report the list of detected modules in plugin output; rather, they will use only internal storage mechanisms to record the detected modules, so that Node.js vulnerability plugins can continue to use that data for version checks.

Impact

Most customers will notice a reduction in the volume of Node.js module vulnerabilities reported. Some Windows and macOS scan results may show an increase in detected vulnerabilities if Node.js was not previously detected based on the installation method. 

If a large number of modules is present on a scan target and had previously caused the plugin to malfunction and report no vulnerabilities, those targets may show previously unreported vulnerabilities, as the module enumeration plugin would now complete and allow the vulnerability plugins to execute.

Plugins affected

200172 - Node.js Modules Installed (Windows)

179440 - Node.js Modules Installed (macOS)

178772 - Node.js Modules Installed (Linux)

110839 - Node.js Installed (Windows)

142903 - Node.js Installed (macOS)

Target Release Date

January 5, 2026