CVE-2025-23083

Authorization Bypass
Affects
Node.js
4.0 < 20.18.2, 22 < 22.13.1
in
Node.js
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in web applications and server-side development.

An Improper Access Control vulnerability has been identified in Node.js. The issue stems from the diagnostics_channel utility, which allows event hooking into worker thread creation. This weakness allows attackers to exploit internal workers for malicious usage.

This vulnerability affects specific versions of the package and can result in unauthorized access. Details on affected versions and reproduction steps are provided below.

Details

Module Info


Affected packages: Node.js

Affected versions: 4.0 < 20.18.2, 22 < 22.13.1

GitHub repository: https://github.com/nodejs/node

Published packages: https://github.com/nodejs/node/releases

Package manager: npm

Fixed in: NES for Node.js version v16, v18

Vulnerability Info

The issue stems from improper access control in the diagnostics_channel utility.

For instance, in a scenario where a worker thread is created, if an attacker hooks into this event, they can fetch the internal worker instance and exploit it. This behavior can be exploited by attackers to execute arbitrary code.

This vulnerability is a result of flawed logic, and may allow attackers to escalate privileges.


- https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

- https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Credits


- leodog896

Mitigation

This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.


- Update to a patched LTS version

- Leverage a commercial support partner like HeroDevs for post-EOL security.

Refer to the NES documentation for upgrade instructions.

Vulnerability Details
ID
CVE-2025-23083
PROJECT Affected
Node.js
Versions Affected
4.0 < 20.18.2, 22 < 22.13.1
Published date
January 22, 2025
≈ Fix date
March 27, 2025
Fixed in
Severity
High
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
Node.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.