PT-2025-4813 · Node.Js+8 · Node.Js+8

Leodog896

·

Published

2025-01-21

·

Updated

2025-12-08

·

CVE-2025-23083

CVSS v3.1

7.7

High

VectorAV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Node.js versions v20, v22, and v23
Description The diagnostics channel utility allows an event to be hooked into whenever a worker thread is created, exposing not only workers but also internal workers. This enables malicious actors to fetch instances of these workers, access their constructors, and potentially reinstate them for malicious purposes. The issue affects Permission Model users (--permission) and can be used to expose sensitive data and resources.
Recommendations For Node.js versions v20, v22, and v23, consider disabling the diagnostics channel utility as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Access Control

Weakness Enumeration

CWE-284

Related Identifiers

ALSA-2025:1351
ALSA-2025:1443
ALSA-2025:1611
ALSA-2025:1613
ALT-PU-2025-1865
AZL-55922
BDU:2025-03339
BIT-NODE-2025-23083
BIT-NODE-MIN-2025-23083
CESA-2025_1351
CESA-2025_1611
CVE-2025-23083
ECHO-0AFB-21F8-9413
INFSA-2025_1351
INFSA-2025_1443
INFSA-2025_1611
INFSA-2025_1613
MGASA-2025-0041
OESA-2025-1234
OESA-2025-1235
OPENSUSE-SU-2025:14706-1
OPENSUSE-SU-2025:15802-1
OPENSUSE-SU-2025_0232-1
OPENSUSE-SU-2025_0237-1
OPENSUSE-SU-2025_0284-1
RHSA-2025:1351
RHSA-2025:1443
RHSA-2025:1522
RHSA-2025:1611
RHSA-2025:1613
RHSA-2025_1351
RHSA-2025_1443
RHSA-2025_1611
RHSA-2025_1613
RLSA-2025:1351
RLSA-2025:1443
RLSA-2025:1611
RLSA-2025:1613
SUSE-SU-2025:0232-1
SUSE-SU-2025:0237-1
SUSE-SU-2025:0284-1
SUSE-SU-2025_0232-1
SUSE-SU-2025_0237-1
SUSE-SU-2025_0284-1

Affected Products

Alt Linux
Almalinux
Centos
Debian
Node.Js
Red Hat
Red Os
Rocky Linux
Suse