Upgrade node in Elasticbeanstalk environment to patch CVEs

In short: A manual upgrade on the EC2 instance is not only risky, but ultimately futile!

As far as I know, in AWS Elastic Beanstalk, you should never manually update core runtime components (like Node.js or npm) by SSHing into the EC2 instances. Doing so creates "Configuration Drift," and your changes will be lost as soon as the environment scales, performs a health check replacement, or redeploys.

• Check the Platform Version: You are on 6.9.0, which is currently the latest for Node.js 22 on AL2023. AWS typically releases a new Platform Version once they have tested and bundled the patched runtime. You must wait for version 6.9.1 (or higher) to be released by AWS.
• The "tar" Vulnerability: If the vulnerability is in the tar package bundled with the Node.js runtime itself, it is an OS-level/Runtime dependency. If it is a dependency of your application, you must update your package-lock.json.
• custom AMIs: If you cannot wait for the AWS patch, the only "official" way to override the platform's Node version is to create a Custom AMI. However, this is complex to maintain and usually overkill for a minor version patch.

-> https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.html

So, connecting via SSH to upgrade Node will NOT work permanently and may break the Elastic Beanstalk hooks. The standard procedure is to wait for the next Elastic Beanstalk Platform Update or, if the vulnerability is critical and immediate, use a Docker-based Elastic Beanstalk platform where you have full control over the Node.js version in your Dockerfile. If your security scanner requires an immediate fix before AWS releases an update, the only supported way is migrating to the Docker Platform, where you control the Node.js version in your Dockerfile.

-> https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.html

regarding your last question in your comment:

1. Official Release Notes AWS maintains a dedicated page for Elastic Beanstalk Release Notes. This is where every platform version bump (e.g., from 6.9.0 to 6.9.1) is documented, including specific updates to the Node.js runtime, NPM, and the underlying AL2023 OS packages.

https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/welcome.html

2. RSS Feed for Automation If you want to be alerted the second a patch is live without manual checking, you can subscribe to the RSS feed. Many teams hook this into a Slack or Microsoft Teams channel via a webhook.

https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/rss-feed/relnotes.rss

3. Managed Platform Updates & SNS In your Elastic Beanstalk console, under Configuration > Updates and deployments, ensure Managed platform updates is enabled.

• You can configure an SNS Topic under the Notifications tab. • AWS will send an automated email/alert as soon as a new platform version (containing your tar fix) is available and scheduled for your environment.

A Note on CVE-2026-23950

Since this is an OS-level/runtime dependency (tar), you are essentially waiting for the Amazon Linux 2023 repositories to be updated and then bundled into a new EB Platform version.

Tip: If your security policy (CNAPP) requires an immediate fix before AWS releases the next platform version, your only "supported" path is to migrate to the Docker-based Platform. In a Dockerfile, you can manually specify a patched base image (e.g., node:22-bookworm) and bypass the EB platform release cycle entirely.