Affected versions of this package are vulnerable to Information Exposure. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data.
Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. Node are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. They are taking a cautionary approach and recommending the same for users.
node to version 6.17.0, 8.15.1 or higher.