Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-23166

Опубликовано: 19 мая 2025
Источник: debian
EPSS Низкий

Описание

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
nodejsfixed20.19.2+dfsg-1package
nodejsnot-affectedbullseyepackage

Примечания

  • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high

  • Introduced by: https://github.com/nodejs/node/commit/e60841b598ed5246c8dfc24a779c6b1b732d4f87 (v16.14.0)

  • Fixed by: https://github.com/nodejs/node/commit/6c57465920cf1b981a63031e71b1e4a73bf9beaa (v20.19.2)

EPSS

Процентиль: 27%
0.00092
Низкий

Связанные уязвимости

CVSS3: 7.5
ubuntu
3 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

CVSS3: 7.5
redhat
3 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

CVSS3: 7.5
nvd
3 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

CVSS3: 7.5
msrc
20 дней назад

Описание отсутствует

CVSS3: 7.5
github
3 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

EPSS

Процентиль: 27%
0.00092
Низкий