CVE-2025-23166

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-23166

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23166.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-23166

Aliases

Downstream

ALPINE-CVE-2025-23166

BELL-CVE-2025-23166

DEBIAN-CVE-2025-23166

ECHO-37c8-1bfa-4cd1

MINI-2prp-x8rh-8mp7

MINI-3vg7-jpx8-vxc8

MINI-9mpm-m2v9-52c3

MINI-v75q-79p7-9qw6

MINI-v8rv-8mgh-626r

OESA-2025-1533

OESA-2025-1534

RHSA-2025:8467

RHSA-2025:8468

RHSA-2025:8493

RHSA-2025:8506

RHSA-2025:8514

RHSA-2025:8902

RLSA-2025:8467

RLSA-2025:8468

RLSA-2025:8493

RLSA-2025:8506

RLSA-2025:8514

ROOT-OS-DEBIAN-12-CVE-2025-23166

SUSE-SU-2025:01878-1

SUSE-SU-2025:01879-1

SUSE-SU-2025:02039-1

SUSE-SU-2025:02045-1

UBUNTU-CVE-2025-23166

openSUSE-SU-2025:15250-1

openSUSE-SU-2025:15802-1

Related

Published

2025-05-19T02:15:17Z

Modified

2026-03-23T05:02:23.246674916Z

Summary

[none]

Details

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

References

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Affected packages