CVE-2025-23166 log
| Source |
|
| Severity | High |
| Remote | Yes |
| Type | Denial of service |
| Description | Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-2873 | nodejs-lts-iron | 20.19.1-1 | 20.19.2-1 | High | Fixed | |
| AVG-2872 | nodejs-lts-jod | 22.14.0-2 | 22.15.1-1 | High | Fixed | |
| AVG-2871 | nodejs | 23.9.0-1 | 23.11.1-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 18 May 2025 | ASA-202505-8 | AVG-2873 | nodejs-lts-iron | High | multiple issues |
| 18 May 2025 | ASA-202505-7 | AVG-2872 | nodejs-lts-jod | High | denial of service |
| 18 May 2025 | ASA-202505-6 | AVG-2871 | nodejs | High | denial of service |
| References |
|---|
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high |
| Notes |
|---|
This vulnerability affects all users in active release lines: 20.x, 22.x, 23.x, 24.x |