SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Keeping Twilio Runtime Secure: Node.js Version Updates and Security Patches

Overview

Twilio Functions & Assets provides a secure, managed environment for running your serverless applications. The underlying Node.js runtime is maintained by Twilio to ensure stability, compatibility, and security. This article explains how Twilio manages Node.js version updates, especially in response to security vulnerabilities, and what customers should expect regarding patch timelines and mitigations.

 

Environment

legacy Twilio Console

 

What You Need To Know

How Twilio Updates Node.js Runtimes

Twilio regularly monitors the Node.js project for new releases, including security patches and long-term support (LTS) updates. When a new Node.js version is released such as a patch addressing a security vulnerability Twilio evaluates, tests, and schedules the upgrade for the Twilio Runtime environment.

  • Major and Minor Updates: Twilio aligns major and minor Node.js version upgrades with industry standards and Node.js LTS/EOL schedules.
  • Patch Updates: Security patches (e.g., from 22.22.0 to 22.22.2) are reviewed and prioritized based on severity, impact, and compatibility.

 

Security Vulnerabilities and Mitigations

When a vulnerability is reported in a Node.js version used by Twilio Runtime:

  • Assessment: Twilio’s security and engineering teams assess the risk and determine the urgency of the update.
  • Mitigations: Twilio’s platform is designed with multiple layers of security, including isolation of customer code, to minimize exposure. Additional mitigations may be applied as needed while a patch is being prepared.
  • Upgrade Timeline: Twilio aims to upgrade runtimes promptly, but patch releases may not be immediate due to the need for compatibility and stability testing.

 

Example: Node.js 22.22.2 and CVE-2025-23083

If you notice that your Twilio Runtime is running Node.js 22.22.0 and a newer patch (e.g., 22.22.2) has been released to address a vulnerability (such as CVE-2025-23083):

  • Twilio is aware of the update and is working to roll out the patched version.
  • There may be a short delay between the Node.js release and its availability in Twilio Runtime due to internal testing and validation.
  • Twilio will announce the upgrade in the changelog and documentation.
  • In the meantime, Twilio’s platform security and isolation help reduce risk.

 

Frequently Asked Questions

How do I know which Node.js version my Functions are using?

You can view and select the Node.js runtime version for your Functions in the Twilio Console under Functions & Assets. Select your function service and go to the Dependencies section.

What should I do if my organization has strict compliance requirements?

If you have specific compliance needs or require more information about Twilio’s mitigation steps, please reach out to Twilio Support for guidance.

Will Twilio notify me when a security patch is applied?

All runtime updates, including security patches, are announced in the Twilio Changelog.

 

Conclusion

What Should Customers Do?

  • Monitor the Changelog: Twilio announces all runtime updates and security patches in the Twilio Changelog.
  • Redeploy Functions: Once a new Node.js runtime version is available, customers are encouraged to redeploy their Functions to take advantage of the latest security updates.
  • Stay Informed: For critical vulnerabilities, Twilio may provide additional guidance or interim mitigations.
  • If you have any further questions please reach our Twilio Support.

Below you will find references to useful documents: 

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk