7.5

CVE-2025-23166

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Vendornodejs
Product node
Default Statusunaffected
Version < 4.*
Version 4.0
Status affected
Version < 5.*
Version 5.0
Status affected
Version < 6.*
Version 6.0
Status affected
Version < 7.*
Version 7.0
Status affected
Version < 8.*
Version 8.0
Status affected
Version < 9.*
Version 9.0
Status affected
Version < 10.*
Version 10.0
Status affected
Version < 11.*
Version 11.0
Status affected
Version < 12.*
Version 12.0
Status affected
Version < 13.*
Version 13.0
Status affected
Version < 14.*
Version 14.0
Status affected
Version < 15.*
Version 15.0
Status affected
Version < 16.*
Version 16.0
Status affected
Version < 17.*
Version 17.0
Status affected
Version < 18.*
Version 18.0
Status affected
Version < 19.*
Version 19.0
Status affected
Version <= 20.19.1
Version 20.0
Status affected
Version <= 22.15.0
Version 22.0
Status affected
Version <= 23.11.0
Version 23.0
Status affected
Version <= 24.0.1
Version 24.0
Status affected
Version < 21.*
Version 21.0
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.12% 0.316
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
support@hackerone.com 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.