CVE-2025-23083

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-23083

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23083.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-23083

Aliases

Related

Published

2025-01-22T02:15:33Z

Modified

2025-02-28T14:45:29.990716Z

Summary

[none]

Details

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.

This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

References

Affected packages

Alpine:v3.21 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.13.1-r0

Affected versions

22.*

22.11.0-r0

22.11.0-r1

Debian:12 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.13.0+dfsg1-1

18.13.0+dfsg1-1.1

18.19.0+dfsg-1

18.19.0+dfsg-2

18.19.0+dfsg-3

18.19.0+dfsg-4

18.19.0+dfsg-5

18.19.0+dfsg-6~deb12u1

18.19.0+dfsg-6~deb12u2

18.19.0+dfsg-6

18.19.1+dfsg-1

18.19.1+dfsg-2

18.19.1+dfsg-3

18.19.1+dfsg-3.1

18.19.1+dfsg-4

18.19.1+dfsg-6

18.20.1+dfsg-1

18.20.1+dfsg-2

18.20.1+dfsg-3

18.20.1+dfsg-4

20.*

20.10.0+dfsg-1

20.12.2+dfsg-1

20.13.0+dfsg-1

20.13.1+dfsg-1

20.13.1+dfsg-2

20.14.0+dfsg-1

20.14.0+dfsg-2

20.14.0+dfsg-3

20.15.0+dfsg-1

20.15.1+dfsg-1

20.16.0+dfsg-1

20.17.0+dfsg-1

20.17.0+dfsg-2

20.18.0+dfsg-1

20.18.0+dfsg-2

20.18.1+dfsg-1

20.18.1+dfsg-2

20.18.2+dfsg-1

20.18.2+dfsg-2

20.18.2+dfsg-3

20.18.2+dfsg-4

20.18.3+dfsg-1

22.*

22.12.0+dfsg-1

22.12.0+dfsg-2

22.12.0+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.18.2+dfsg-1

Affected versions

18.*

18.13.0+dfsg1-1

18.13.0+dfsg1-1.1

18.19.0+dfsg-1

18.19.0+dfsg-2

18.19.0+dfsg-3

18.19.0+dfsg-4

18.19.0+dfsg-5

18.19.0+dfsg-6~deb12u1

18.19.0+dfsg-6~deb12u2

18.19.0+dfsg-6

18.19.1+dfsg-1

18.19.1+dfsg-2

18.19.1+dfsg-3

18.19.1+dfsg-3.1

18.19.1+dfsg-4

18.19.1+dfsg-6

18.20.1+dfsg-1

18.20.1+dfsg-2

18.20.1+dfsg-3

18.20.1+dfsg-4

20.*

20.10.0+dfsg-1

20.12.2+dfsg-1

20.13.0+dfsg-1

20.13.1+dfsg-1

20.13.1+dfsg-2

20.14.0+dfsg-1

20.14.0+dfsg-2

20.14.0+dfsg-3

20.15.0+dfsg-1

20.15.1+dfsg-1

20.16.0+dfsg-1

20.17.0+dfsg-1

20.17.0+dfsg-2

20.18.0+dfsg-1

20.18.0+dfsg-2

20.18.1+dfsg-1

20.18.1+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}