CVE-2025-23166

7.5

High

Published:19 May 2025

Last updated:17 Jun 2026

Source:support@hackerone.com

Deferred

Weakness (CWE)

CWE-248CWE-248

CVSS Vector

v3.0

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

View on MITRE Find PoC on GitHub

Description

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

References

support@hackerone.com

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases