Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-23166

Опубликовано: 19 мая 2025
Источник: debian
EPSS Низкий

Описание

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
nodejsfixed20.19.2+dfsg-1package
nodejsnot-affectedbullseyepackage

Примечания

  • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high

  • Introduced by: https://github.com/nodejs/node/commit/e60841b598ed5246c8dfc24a779c6b1b732d4f87 (v16.14.0)

  • Fixed by: https://github.com/nodejs/node/commit/6c57465920cf1b981a63031e71b1e4a73bf9beaa (v20.19.2)

EPSS

Процентиль: 25%
0.00081
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2025-23166

CVSS3: 7.5
ubuntu
около 1 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

redhat логотип

CVE-2025-23166

CVSS3: 7.5
redhat
около 1 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

nvd логотип

CVE-2025-23166

CVSS3: 7.5
nvd
около 1 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

github логотип

GHSA-rrjv-57mm-j6cm

CVSS3: 7.5
github
около 1 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

oracle-oval логотип

ELSA-2025-8514

oracle-oval
8 дней назад

ELSA-2025-8514: nodejs:20 security update (IMPORTANT)

EPSS

Процентиль: 25%
0.00081
Низкий