Worker Thread Exposure in Node.js Affecting Various Versions
CVE-2025-23090

Currently unrated

Key Information:

Vendor: Node.js
Status: Node
Vendor: CVE Published:; 22 January 2025

What is CVE-2025-23090?

This vulnerability allows for the hooking of events whenever a worker thread is created within Node.js. It exposes not only standard workers but also internal worker instances. Malicious users can exploit this by accessing the constructor of these internal workers, leading to potential misuse and elevation of privileges among Permission Model users.

Affected Version(s)

node 20.18.1

node 22.13.0

node 23.6.0

References

https://hackerone.com/reports/2575105

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 10, 2025