The Node.js project disclosed **CVE-2025-23166**, a high-severity vulnerability in its core cryptographic operations that enables remote attackers to crash Node.js processes, leading to **widespread denial-of-service (DoS) outages**. The flaw stems from improper error handling in `SignTraits::DeriveBits()`, allowing adversaries to exploit untrusted inputs in asynchronous cryptographic functions—critical for authentication, data protection, and secure communications. Exploitation disrupts business operations, halts mission-critical services, and risks cascading failures across internet-exposed applications.All active Node.js release lines (20.x, 22.x, 23.x, 24.x) and EOL versions are affected, with unpatched systems remaining perpetually vulnerable. The advisory warns of **immediate service disruptions**, threatening operational continuity for millions of users reliant on Node.js-based platforms. While patches (20.19.2, 22.15.1, 23.11.1, 24.0.2) are available, delayed updates expose organizations to **remote crashes, financial losses from downtime, and reputational damage** due to unreliable services. The vulnerability’s severity is amplified by its foundational role in web infrastructure, making it a prime target for malicious actors seeking large-scale disruption.
Source: https://cybersecuritynews.com/node-js-vulnerability-allows-attackers/
OpenJS Foundation cybersecurity rating report: https://www.rankiteo.com/company/openjs-foundation
"id": "OPE4083640112625",
"linkid": "openjs-foundation",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Millions of users (indirectly '
'via dependent applications)',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'Node.js Project',
'type': ['Open-Source Software',
'Runtime Environment']}],
'attack_vector': ['Remote', 'Network-based'],
'customer_advisories': ['Users of Node.js-dependent services may experience '
'disruptions if providers fail to patch',
'No direct customer data breach, but indirect impact '
'via service outages'],
'description': 'The Node.js project disclosed a high-severity vulnerability '
'(CVE-2025-23166) in asynchronous cryptographic operations, '
'enabling remote attackers to crash Node.js processes. The '
'flaw stems from improper error handling in the C++ method '
'`SignTraits::DeriveBits()`, which may incorrectly call '
'`ThrowException()` based on user-supplied inputs in a '
'background thread. Exploitation can lead to immediate service '
'outages, disrupting business operations and impacting '
'millions of users. The vulnerability affects all active '
'Node.js release lines (20.x, 22.x, 23.x, 24.x) and EOL '
'versions. Urgent patching is required to mitigate remote '
'denial-of-service risks.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust due to '
'service instability'],
'downtime': ['Immediate service outages',
'Potential widespread disruptions'],
'operational_impact': ['Business operation disruptions',
'Loss of uptime/reliability in production '
'environments'],
'systems_affected': ['Node.js applications exposed to the internet',
'Services relying on cryptographic operations '
'(authentication, data protection, secure '
'communications)']},
'initial_access_broker': {'entry_point': ['Cryptographic operations handling '
'untrusted input'],
'high_value_targets': ['Internet-exposed Node.js '
'applications',
'Services relying on '
'authentication/secure '
'communications']},
'investigation_status': 'Ongoing (patches released, further analysis likely)',
'lessons_learned': ['Critical importance of patching cryptographic '
'vulnerabilities in foundational software',
'Risks of untrusted input handling in asynchronous '
'operations',
'Need for proactive subscription to security advisories '
'(e.g., Node.js-sec mailing list)'],
'motivation': ['Disruption of Services',
'Potential Exploitation for Further Attacks'],
'post_incident_analysis': {'corrective_actions': ['Patched error-handling '
'logic in cryptographic '
'operations',
'Enhanced input validation '
'for untrusted data',
'Security hardening in '
'background thread '
'operations'],
'root_causes': ['Improper error handling in '
'`SignTraits::DeriveBits()`',
'Insufficient validation of '
'user-supplied inputs in '
'asynchronous cryptographic '
'operations',
'Thread-safety issues in exception '
'handling']},
'recommendations': ['Immediately update Node.js to patched versions (20.19.2, '
'22.15.1, 23.11.1, 24.0.2)',
'Audit applications for exposure to untrusted inputs in '
'cryptographic operations',
'Monitor for unusual crashes or service disruptions as '
'potential exploitation indicators',
'Prioritize security updates in production environments '
'to maintain uptime',
'Consider migrating from EOL Node.js versions to '
'supported release lines'],
'references': [{'source': 'Node.js Security Advisory (CVE-2025-23166)'},
{'source': 'Node.js Security Policy'},
{'source': 'Node.js-sec Mailing List (Security Advisories)'}],
'response': {'communication_strategy': ['Official security advisory published',
'Subscription to Node.js-sec mailing '
'list for updates',
'Reference to Node.js security policy '
'for guidance'],
'containment_measures': ['Urgent security updates released for '
'all supported versions'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patching to versions 20.19.2, 22.15.1, '
'23.11.1, or 24.0.2']},
'stakeholder_advisories': ['Developers and organizations using Node.js urged '
'to apply updates immediately',
'Warning about risks to authentication, data '
'protection, and secure communications'],
'title': 'Node.js High-Severity Denial of Service Vulnerability '
'(CVE-2025-23166)',
'type': ['Vulnerability',
'Denial of Service (DoS)',
'Remote Code Execution Risk'],
'vulnerability_exploited': {'affected_versions': ['20.x',
'22.x',
'23.x',
'24.x (all active release '
'lines)',
'End-of-Life (EOL) '
'versions'],
'cve_id': 'CVE-2025-23166',
'description': 'Improper error handling in '
'`SignTraits::DeriveBits()` during '
'asynchronous cryptographic '
'operations, allowing remote '
'crashes via untrusted input.',
'patched_versions': ['20.19.2 (LTS)',
'22.15.1 (LTS)',
'23.11.1 (Current)',
'24.0.2 (Current)']}}