Bug 2339392 (CVE-2025-23083)

Summary: CVE-2025-23083 nodejs: Node.js Worker Thread Exposure via Diagnostics Channel
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caswilli, kaycoth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Node.js diagnostics_channel. This vulnerability allows an attacker to reinstate and misuse worker constructors, potentially bypassing the Permission Model via hooking into events when a worker thread is created.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2341713, 2341714, 2341715, 2341716    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-22 02:01:08 UTC 
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. 

This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
Comment 2 errata-xmlrpc 2025-02-12 15:23:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:1351 https://access.redhat.com/errata/RHSA-2025:1351
Comment 3 errata-xmlrpc 2025-02-13 15:36:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:1443 https://access.redhat.com/errata/RHSA-2025:1443
Comment 4 errata-xmlrpc 2025-02-17 04:45:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:1522 https://access.redhat.com/errata/RHSA-2025:1522
Comment 5 errata-xmlrpc 2025-02-17 17:57:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:1611 https://access.redhat.com/errata/RHSA-2025:1611
Comment 6 errata-xmlrpc 2025-02-17 19:17:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:1613 https://access.redhat.com/errata/RHSA-2025:1613