CVE-2025-23166

Published May 19, 2025

Last updated a month ago

CVSS high 7.5

Overview

Description
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
Source
support@hackerone.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Social media

Hype score
Not currently trending

  1. #NodeJS Critical Alert! CVE-2025-23166 (8.2 CVSS) lets attackers crash apps via crypto ops. Patch with: zypper in -t patch SUSE-2025-1878=1 Details: 👉 https://t.co/efPdcmBljb #Infosec https://t.co/9s7QRtwckl

    @Cezar_H_Linux

    11 Jun 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. kusanagi-nodejs22 モジュール更新情報 22.15.1-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 nodejs

    @primestrategyjp

    21 May 2025

    75 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2025-23166 – Node.js DoS flaw A bug in SignTraits::DeriveBits() can let attackers remotely crash Node.js apps via malformed crypto input. 🔸 Affects background threads 🔸 CVSS 7.5 🔗 https://t.co/cN8sTTeLks #Nodejs #CyberSecurity #CVE2025 https://t.co/l5wgoSwqa

    @BaseFortify

    19 May 2025

    30 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. “Node.js”də boşluqlar aşkarlanıb (CVE-2025-23166, CVE-2025-23167, CVE-2025-23165). #ETX #certaz #cybersecurity #kibertəhlükəsizlik #xəbərdarlıq https://t.co/L8wLgMwlJx

    @CERTAzerbaijan

    19 May 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. kusanagi-nodejs22 モジュール更新情報 22.15.1-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 nodejs 22

    @kusanagi_saya

    19 May 2025

    79 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 📌 Critical vulnerability in Node.js (CVE-2025-23166) can cause remote system crashes. Update immediately. #CyberSecurity #NodeJS https://t.co/tn6bgO65jq https://t.co/n5DS9qzxtU

    @CyberHub_blog

    15 May 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨Alert🚨CVE-2025-23166(HIGH) : Improper error handling in async cryptographic operations crashes process CVE-2025-23167(Medium) : Improper HTTP header block termination in llhttp 📊 26.4M+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter https://t.co/wB

    @HunterMapping

    15 May 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.