CVE-2025-23166

High CVSS: 7.5

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Vendor

Product

CWE

CWE-248

Yayın Tarihi

2025-05-19 02:15:17

Güncelleme

2025-05-19 15:15:23

Source Identifier

support@hackerone.com

KEV Date Added

Kategoriler

CWE-248 HIGH 2025

Referanslar

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases