CVE-2025-23083

HIGH

Node.js 20.x-20.18.1, 22.x-22.13.0, 23.x-23.6.0 - Permission Model Bypass via Worker Thread Hook

Title source: llm

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

References (4)

Core 4

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-23083-detect-nodejs-vulnerability

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-23083-mitigate-nodejs-vulnerability

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250228-0008/

Scores

CVSS v3 7.7

EPSS 0.0010

EPSS Percentile 28.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (19)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.18.2

... and 9 more

Published Jan 22, 2025

Tracked Since Feb 18, 2026