CVE-2025-23083

Published: Jan 22, 2025Modified: Jul 22, 2025

7.7

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.5 / Impact: 5.2

Source: support@hackerone.com (Secondary)

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Source: support@hackerone.com

https://security.netapp.com/advisory/ntap-20250228-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.vicarius.io/vsociety/posts/cve-2025-23083-detect-nodejs-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.vicarius.io/vsociety/posts/cve-2025-23083-mitigate-nodejs-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.