CVE-2025-23083

NONE EPSS 33.1%
Published Jan 22, 20251y ago · Modified Jun 17, 20261w ago
Find Similar
Published Jan 22, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

Threat Intelligence

EPSS Exploit Probability
33.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-284

References 4

  • nodejs.org https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
  • security.netapp.com https://security.netapp.com/advisory/ntap-20250228-0008/
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-23083-detect-nodejs-vulnerability
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-23083-mitigate-nodejs-vulnerability

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.