CVE-2025-23090

Name of the Vulnerable Software and Affected Versions Node.js versions 20, 22, and 23

Description The issue allows attackers to misuse the diagnostics channel utility, accessing internal worker threads for malicious purposes. This is not limited to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This affects Permission Model users (--permission).

Recommendations For Node.js versions 20, 22, and 23, consider disabling the diagnostics channel utility as a temporary workaround until a patch is available. Restrict access to internal worker threads to minimize the risk of exploitation. Avoid using the diagnostics channel utility for malicious purposes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.