AZL-55922

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-55922.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-55922

Upstream

CVE-2025-23083

Published

2025-01-22T02:15:33Z

Modified

2026-04-21T04:36:01.773069Z

Summary

CVE-2025-23083 affecting package nodejs for versions less than 20.14.0-4

Details

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.

This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-23083

Affected packages

Azure Linux:3 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/azure-linux/nodejs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.14.0-4

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-55922.json"