CVE-2025-23083 HIGH

CVE-2025-23083

Vendor Nodejs
Product Node
Published January 22, 2025
Last update February 26, 2026

CVSS base score

7.7/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

Key dates

02Disclosure timeline

January 22, 2025 CVE published
February 26, 2026 Record updated