CVE-2025-23083

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23083
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23083.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-23083
Aliases
Related
Published
2025-01-22T02:15:33Z
Modified
2025-02-28T15:00:50.236274Z
Downstream
Summary
[none]
Details

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.

This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

References

Affected packages

Alpine:v3.21 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.13.1-r0

Affected versions

22.*

22.11.0-r0
22.11.0-r1

Debian:12 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4

20.*

20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1

22.*

22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.18.2+dfsg-1

Affected versions

18.*

18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4

20.*

20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}