---

CVE-2025-23166 - log back

CVE-2025-23166 edited at 18 May 2025 20:09:07
Notes	+ This vulnerability affects all users in active release lines: 20.x, 22.x, 23.x, 24.x

CVE-2025-23166 created at 18 May 2025 20:08:53
Severity	+ High
Remote	+ Remote
Type	+ Denial of service
Description	+ Improper error handling in async cryptographic operations crashes process. + + The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
References	+ https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
Notes