CVE-2025-23090

Feb. 11, 2025, 12:15 a.m.

7.7
High

Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

Product(s) Impacted

Product Versions
Node.js
  • ['20.x', '22.x', '23.x']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://hackerone.com/reports/2575105

Tags

CWE-284
support@hackerone.com
2025-01-22
CVE-2025-23090

CVSS Score

7.7 / 10

CVSS Data - 3.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Jan. 22, 2025, 2:15 a.m.
Last Modified: Feb. 11, 2025, 12:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

support@hackerone.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.