CVE-2025-23166

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 24.x

Description Node.js is susceptible to a remote crash issue due to a flaw in the SignTraits::DeriveBits() function. This flaw can be triggered by malformed crypto input in background threads, leading to a denial-of-service condition. The issue arises from an incorrect call to ThrowException() based on user-supplied inputs. Approximately 17 million systems are potentially affected.

Recommendations Update Node.js to the latest version to address this issue.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-248

Related Identifiers

ALSA-2025:8467

ALSA-2025:8468

ALSA-2025:8493

ALSA-2025:8506

ALSA-2025:8514

AZL-61919

AZL-65066

BDU:2025-10620

BIT-NODE-2025-23166

BIT-NODE-MIN-2025-23166

CESA-2025_8506

CESA-2025_8514

CVE-2025-23166

ECHO-37C8-1BFA-4CD1

INFSA-2025_8467

INFSA-2025_8468

INFSA-2025_8506

INFSA-2025_8514

MGASA-2025-0161

OESA-2025-1533

OESA-2025-1534

OPENSUSE-SU-2025:15250-1

OPENSUSE-SU-2025:15802-1

RHSA-2025:8467

RHSA-2025:8468

RHSA-2025:8493

RHSA-2025:8506

RHSA-2025:8514

RHSA-2025:8902

RHSA-2025_8467

RHSA-2025_8468

RHSA-2025_8506

RHSA-2025_8514

SUSE-SU-2025:01878-1

SUSE-SU-2025:01879-1

SUSE-SU-2025:02039-1

SUSE-SU-2025:02045-1

SUSE-SU-2025_02039-1

SUSE-SU-2025_02045-1

Affected Products

Almalinux

Astra Linux

Centos

Debian

Node.Js

Red Hat

Red Os

Rocky Linux

Suse

CVE-2025-23166

Weakness Enumeration

Related Identifiers

Affected Products

References · 101