CVE-2025-23083: 
npm vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-23083) was discovered in Node.js affecting versions 20, 22, and 23. The vulnerability exists in the diagnostics_channel utility, which allows an event to be hooked into whenever a worker thread is created. This vulnerability was discovered on January 21, 2025, and affects the Permission Model users utilizing the --permission flag (Node.js Blog, NVD).

The vulnerability exists in the diagnostics_channel utility where an event can be hooked into worker thread creation. The flaw exposes internal workers, allowing their instances to be fetched and their constructors to be grabbed and reinstated for malicious purposes. The vulnerability has received a CVSS v3.0 base score of 7.7 (High) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating local access, low attack complexity, no privileges required, and high impact on confidentiality and integrity (Red Hat).

The vulnerability affects Permission Model users on Node.js versions 20.x, 22.x, and 23.x. When exploited, it allows attackers to bypass worker permissions and potentially gain unauthorized access to sensitive data and resources. The vulnerability impacts both confidentiality and integrity of the system, though availability remains unaffected (Security Online, Node.js Blog).

The Node.js project has released security updates to address this vulnerability. The fixed versions are: Node.js v18.20.6, v20.18.2, v22.13.1, and v23.6.1. Users are strongly advised to upgrade to these patched versions to mitigate the vulnerability (Node.js Blog).

The vulnerability has been acknowledged by major organizations including Red Hat, which has rated this update as having a security impact of Important. Credit for discovering the vulnerability has been given to leodog896, while RafaelGSS is credited with fixing it (Node.js Blog, Red Hat).