Node.js 15

by Node.js Foundationv15.14.0

Last updated Jun 8, 2026

Run JavaScript Everywhere

Install with winget

$ winget install --id OpenJS.NodeJS.15 --exact --version 15.14.0

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for Node.js 15

Node.js 15 uses MSI (WiX). The silent install switches are /quiet /norestart.

One-line silent install (x64, machine scope)

msiexec.exe /i node-v15.14.0-x64.msi /quiet /norestart

See the full silent install reference for Node.js 15 →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Installers · v15.14.0

Architecture	Type	Scope	Download
x86	Portable in ZIP	-	Direct
x86	MSI WiX	machine	Direct
x64	Portable in ZIP	-	Direct
x64	MSI WiX	machine	Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

high7.5Fix in v20.20.0CVE-2026-21637affects before 20.20.0, 22.22.0, 24.13.0, 25.3.0Jan 20, 2026
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), c...
Vendor advisory
critical10.0Patched in wingetCVE-2026-21636affects before 25.3.0Jan 20, 2026
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via...
Vendor advisory
high7.5Patched in wingetCVE-2025-59466affects before 20.20.0, 22.22.0, 24.13.0, 25.3.0Jan 20, 2026
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applic...
Vendor advisory
high7.5Patched in wingetCVE-2025-59465affects before 20.20.0, 22.22.0, 24.13.0, 25.3.0Jan 20, 2026
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affect...
Vendor advisory
high7.5Patched in wingetCVE-2025-59464affects before 24.12.0Jan 20, 2026
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger stead...
Vendor advisory
medium5.3Patched in wingetCVE-2025-55132affects before 20.20.0, 22.22.0, 24.13.0, 25.3.0Jan 20, 2026
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata ca...
Vendor advisory
critical9.1Patched in wingetCVE-2025-55130affects before 20.20.0, 22.22.0, 24.13.0, 25.3.0Jan 20, 2026
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path an...
Vendor advisory
medium5.5Patched in wingetCVE-2025-23084affects before 18.20.6, 20.18.2, 22.13.1, 23.6.1Jan 27, 2025
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to t...
Vendor advisory

Showing 8 of 25. Source: NVD, updated 3h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

Node.js (LTS)Node.js Foundation
OpenJS.NodeJS.LTSv24.16.0
Run JavaScript Everywhere
Node.js 22Node.js Foundation
OpenJS.NodeJS.22v22.22.3
Run JavaScript Everywhere
Node.js 20Node.js Foundation
OpenJS.NodeJS.20v20.20.2
Run JavaScript Everywhere
Node.jsNode.js Foundation
OpenJS.NodeJSv26.3.0
Run JavaScript Everywhere
Node.js 8Node.js Foundation
OpenJS.NodeJS.8v8.11.3
Run JavaScript Everywhere
Node.js 7Node.js Foundation
OpenJS.NodeJS.7v7.1.0
Run JavaScript Everywhere

More from Node.js Foundation or browse coding, cross-platform, develop.

Frequently asked questions

How do I install Node.js 15 on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id OpenJS.NodeJS.15 --exact --version 15.14.0. winget downloads the installer from Node.js Foundation and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Node.js 15 silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id OpenJS.NodeJS.15 --exact 15.14.0 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for Node.js 15?

Node.js 15 uses MSI (WiX). Run the downloaded installer with: msiexec.exe /i node-v15.14.0-x64.msi /quiet /norestart. The silent switches are /quiet /norestart.

How do I uninstall Node.js 15 via winget?

Run: winget uninstall --id OpenJS.NodeJS.15 --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Node.js 15's Apps & Features entry.

Is Node.js 15 free?

Node.js 15 is distributed under MIT. Refer to the publisher (https://nodejs.org/) for the full license terms - Wingetly itself does not charge for installation.

Does Node.js 15 work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Node.js 15 directly from the publisher.

How do I keep Node.js 15 up to date?

Run winget upgrade --id OpenJS.NodeJS.15 --exact, or winget upgrade --all to update everything winget tracks. We index 10 versions of Node.js 15 from microsoft/winget-pkgs.

Recent versions

15.14.0latest
15.13.0
15.12.0
15.11.0
15.10.0
15.9.0
15.8.0
15.7.0
15.6.0
15.5.1