CVE-2025-23166

Cryptographic Weakness
Affects
Node.js
in
Node.js
No items found.
Versions
4.0 < 20.19.1, 22 < 22.15.0, 24 < 24.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in server-side applications.

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

This vulnerability affects specific versions of the package and can result in denial of service. Details on affected versions and reproduction steps are provided below.

Details

Module Info

  • Affected packages: Node.js
  • Affected versions: 4.0 < 20.19.1, 22 < 22.15.0, 24 < 24.0.1
  • GitHub repository: https://github.com/nodejs/node
  • Published packages: https://github.com/nodejs/node/releases
  • Package manager: npm
  • Fixed in: Node.js NES version 16, 18

Mitigation

This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.


- Update to a LTS version of Node.js

- Leverage a commercial support partner like HeroDevs for post-EOL security.

Refer to the NES Documentation for upgrade instructions.

Credits

- panva & tniessen

Vulnerability Details
ID
CVE-2025-23166
PROJECT Affected
Node.js
Versions Affected
4.0 < 20.19.1, 22 < 22.15.0, 24 < 24.0.1
Published date
May 14, 2025
≈ Fix date
May 18, 2025
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Cryptographic Weakness
Sign up for the latest vulnerability alerts fixed in
NES for Node.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.