2339392 – (CVE-2025-23083) CVE-2025-23083 nodejs: Node.js Worker Thread Exposure via Diagnostics Channel

Bug 2339392 (CVE-2025-23083) - CVE-2025-23083 nodejs: Node.js Worker Thread Exposure via Diagnostics Channel

Summary: CVE-2025-23083 nodejs: Node.js Worker Thread Exposure via Diagnostics Channel

Keywords:
Status:	NEW
Alias:	CVE-2025-23083
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2341713 2341714 2341715 2341716
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-22 02:01 UTC by OSIDB Bzimport
Modified:	2025-04-06 19:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2025:1543	None	None	None	2025-02-17 08:27:34 UTC
Red Hat Product Errata	RHBA-2025:1701	None	None	None	2025-02-19 22:38:11 UTC
Red Hat Product Errata	RHBA-2025:1714	None	None	None	2025-02-20 08:50:06 UTC
Red Hat Product Errata	RHBA-2025:1967	None	None	None	2025-03-03 01:25:46 UTC
Red Hat Product Errata	RHSA-2025:1351	None	None	None	2025-02-12 15:23:43 UTC
Red Hat Product Errata	RHSA-2025:1443	None	None	None	2025-02-13 15:36:54 UTC
Red Hat Product Errata	RHSA-2025:1522	None	None	None	2025-02-17 04:45:01 UTC
Red Hat Product Errata	RHSA-2025:1611	None	None	None	2025-02-17 17:57:26 UTC
Red Hat Product Errata	RHSA-2025:1613	None	None	None	2025-02-17 19:17:27 UTC

Description OSIDB Bzimport 2025-01-22 02:01:08 UTC

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. 

This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.

Comment 2 errata-xmlrpc 2025-02-12 15:23:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:1351 https://access.redhat.com/errata/RHSA-2025:1351

Comment 3 errata-xmlrpc 2025-02-13 15:36:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:1443 https://access.redhat.com/errata/RHSA-2025:1443

Comment 4 errata-xmlrpc 2025-02-17 04:45:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:1522 https://access.redhat.com/errata/RHSA-2025:1522

Comment 5 errata-xmlrpc 2025-02-17 17:57:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:1611 https://access.redhat.com/errata/RHSA-2025:1611

Comment 6 errata-xmlrpc 2025-02-17 19:17:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:1613 https://access.redhat.com/errata/RHSA-2025:1613

Note You need to log in before you can comment on or make changes to this bug.