CVE-2025-23083

CVE-2025-23083

Name

CVE-2025-23083

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
support@hackerone.com	https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250228-0008/
af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/cve-2025-23083-detect-nodejs-vulnerability
af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/cve-2025-23083-mitigate-nodejs-vulnerability

Type

URI

support@hackerone.com

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250228-0008/

af854a3a-2127-422b-91ae-364da2661108

https://www.vicarius.io/vsociety/posts/cve-2025-23083-detect-nodejs-vulnerability

af854a3a-2127-422b-91ae-364da2661108

https://www.vicarius.io/vsociety/posts/cve-2025-23083-mitigate-nodejs-vulnerability

Source package	Min version	Max version
node	>= 0	<= 20.18.1
node	>= 0	<= 22.13.0
node	>= 0	<= 23.6.0

CPE URI

Source package

Min version

Max version

node

>= 0

<= 20.18.1

node

>= 0

<= 22.13.0

node

>= 0

<= 23.6.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openjdk21	edge-community	21.0.7_p6-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk21	3.22-community	21.0.7_p6-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk21	3.21-community	21.0.7_p6-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk17	edge-community	17.0.15_p6-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk17	3.22-community	17.0.15_p6-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk17	3.21-community	17.0.15_p6-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
nodejs	edge-main	22.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	3.22-main	22.13.1-r0	None	fixed
nodejs	3.21-main	22.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed

Source package

Branch

Version

Maintainer

Status

openjdk21

edge-community

21.0.7_p6-r0

Simon Frankenberger <simon-alpine@fraho.eu>

fixed

openjdk21

3.22-community