CVE-2025-23083

CWE-284Improper Access ControlCWE-863Incorrect Authorization8 documents7 sources
Severity
7.7HIGH
EPSS
0.1%
top 71.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedJan 22
Latest updateApr 15

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.5 | Impact: 5.2

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+18
Alpinenodejs< 22.13.1-r0+2
Debiannodejs< 20.18.2+dfsg-1+1

🔴Vulnerability Details

4
CVEList
CVE-2025-23083: With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created2025-01-22
OSV
CVE-2025-23083: With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created2025-01-22
OSV
CVE-2025-23083: With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created2025-01-22
GHSA
GHSA-wv7p-rjf3-9fr5: With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created2025-01-22

📋Vendor Advisories

3
Oracle
Oracle Oracle Java SE Risk Matrix: Node (Node.js) — CVE-2025-230832025-04-15
Red Hat
nodejs: Node.js Worker Thread Exposure via Diagnostics Channel2025-01-22
Debian
CVE-2025-23083: nodejs - With the aid of the diagnostics_channel utility, an event can be hooked into whe...2025
CVE-2025-23083 (HIGH CVSS 7.7) | With the aid of the diagnostics_cha | cvebase.io