7.7
CVE-2025-23083
- EPSS 0.01%
- Published 22.01.2025 02:15:33
- Last modified 22.07.2025 16:15:26
- Source support@hackerone.com
- Teams watchlist Login
- Open Login
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorNodeJS
≫
Product
Node
Default Statusunaffected
Version <
4.*
Version
4.0
Status
affected
Version <
5.*
Version
5.0
Status
affected
Version <
6.*
Version
6.0
Status
affected
Version <
7.*
Version
7.0
Status
affected
Version <
8.*
Version
8.0
Status
affected
Version <
9.*
Version
9.0
Status
affected
Version <
10.*
Version
10.0
Status
affected
Version <
11.*
Version
11.0
Status
affected
Version <
12.*
Version
12.0
Status
affected
Version <
13.*
Version
13.0
Status
affected
Version <
14.*
Version
14.0
Status
affected
Version <
15.*
Version
15.0
Status
affected
Version <
16.*
Version
16.0
Status
affected
Version <
17.*
Version
17.0
Status
affected
Version <
19.*
Version
19.0
Status
affected
Version <
20.18.2
Version
20.0
Status
affected
Version <
21.*
Version
21.0
Status
affected
Version <
22.13.1
Version
22.0
Status
affected
Version <
23.6.1
Version
23.0
Status
affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.01% | 0.009 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| support@hackerone.com | 7.7 | 2.5 | 5.2 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.