CVE-2025-23166

NameCVE-2025-23166
DescriptionThe C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1105832

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u7fixed
bookworm18.19.0+dfsg-6~deb12u2vulnerable
bookworm (security)18.19.0+dfsg-6~deb12u1vulnerable
sid, trixie20.19.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssourcebullseye(not affected)
nodejssource(unstable)20.19.2+dfsg-11105832

Notes

[bullseye] - nodejs <not-affected> (The vulnerable code was introduced later)
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
Introduced by: https://github.com/nodejs/node/commit/e60841b598ed5246c8dfc24a779c6b1b732d4f87 (v16.14.0)
Fixed by: https://github.com/nodejs/node/commit/6c57465920cf1b981a63031e71b1e4a73bf9beaa (v20.19.2)

Search for package or bug name: Reporting problems