High severity7.5NVD Advisory· Published May 19, 2025· Updated Apr 15, 2026
CVE-2025-23166
CVE-2025-23166
Description
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
34- osv-coords32 versionspkg:apk/chainguard/nodejs-16pkg:apk/chainguard/nodejs-16-docpkg:apk/chainguard/nodejs-21pkg:apk/chainguard/nodejs-21-docpkg:apk/wolfi/nodejs-16pkg:apk/wolfi/nodejs-16-docpkg:apk/wolfi/nodejs-21pkg:apk/wolfi/nodejs-21-docpkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/almalinux/v8-12.4-develpkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs22&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/nodejs22&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7
< 16.20.2-r15+ 31 more
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 21.7.3-r12
- (no CPE)range: < 21.7.3-r12
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 16.20.2-r15
- (no CPE)range: < 21.7.3-r12
- (no CPE)range: < 21.7.3-r12
- (no CPE)range: < 20.19.2
- (no CPE)range: < 20.19.2
- (no CPE)range: < 1:22.16.0-1.module_el9.6.0+170+f035de78
- (no CPE)range: < 1:22.16.0-1.module_el9.6.0+170+f035de78
- (no CPE)range: < 1:22.16.0-1.module_el9.6.0+170+f035de78
- (no CPE)range: < 1:22.16.0-1.module_el9.6.0+170+f035de78
- (no CPE)range: < 1:22.16.0-1.module_el9.6.0+170+f035de78
- (no CPE)range: < 3.0.1-1.module_el9.5.0+139+09296491
- (no CPE)range: < 2021.06-4.module_el9.5.0+139+09296491
- (no CPE)range: < 2021.06-4.module_el9.5.0+139+09296491
- (no CPE)range: < 1:10.9.2-1.22.16.0.1.module_el9.6.0+170+f035de78
- (no CPE)range: < 3:12.4.254.21-1.22.16.0.1.module_el9.6.0+170+f035de78
- (no CPE)range: < 20.19.2-150600.3.12.1
- (no CPE)range: < 22.15.1-150600.13.9.1
- (no CPE)range: < 22.15.1-1.1
- (no CPE)range: < 24.11.1-2.1
- (no CPE)range: < 26.3.1-1.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 20.19.2-150600.3.12.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 20.19.2-150500.11.21.1
- (no CPE)range: < 22.15.1-150600.13.9.1
- (no CPE)range: < 22.15.1-150700.3.3.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.