CVE-2025-23083

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-23083

CGA ID

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage.

This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

References

https://images.chainguard.dev/security/CGA-r3qj-2r75-vwp5
https://github.com/advisories/GHSA-wv7p-rjf3-9fr5
https://security.netapp.com/advisory/ntap-20250228-0008/
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
https://security.alpinelinux.org/vuln/CVE-2025-23083
https://security-tracker.debian.org/tracker/CVE-2025-23083

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-23083

Description

References

Affected packages

Product

Why Chainguard

Customers

Company

Resources