CVE-2025-23083
NONE EPSS 33.1%
Published Jan 22, 20251y ago · Modified Jun 17, 20261w ago
Published Jan 22, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
Threat Intelligence
EPSS Exploit Probability
33.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-284
References 4
- nodejs.org https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
- security.netapp.com https://security.netapp.com/advisory/ntap-20250228-0008/
- vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-23083-detect-nodejs-vulnerability
- vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-23083-mitigate-nodejs-vulnerability
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.