CVE-2025-23083

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

How to fix CVE-2025-23083

To remediate CVE-2025-23083, upgrade the affected package to a fixed version below.

• —upgrade to 22.13.1-r0 or later
• —upgrade to 20.18.2 or later
• —upgrade to 20.18.2 or later
• —upgrade to 20.18.2+dfsg-1 or later

Is CVE-2025-23083 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 22.13.1-r0
• >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
• >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
• from 0, < 20.18.2+dfsg-1

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-23083
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-23083
• WEBnodejs.org/en/blog/vulnerability/january-2025-security-releases
• WEBnvd.nist.gov/vuln/detail/CVE-2025-23083