The Node.js project has released updates to address several security vulnerabilities, including a high-severity flaw that could allow attackers to bypass worker permissions.
The vulnerability, tracked as CVE-2025-23083, affects Node.js versions 20, 22, and 23. It exists in the diagnostics_channel utility, which can be used to hook into events, including worker thread creation. This flaw could potentially be exploited to gain unauthorized access to sensitive data or resources.
In addition to the worker permission bypass vulnerability, the updates also patch two medium-severity flaws:
- CVE-2025-23084: Path traversal by drive name in Windows environments. This vulnerability could allow attackers to access files outside of the intended directory.
- CVE-2025-23085: A memory leak issue in HTTP/2 servers. This vulnerability could be exploited to cause a denial-of-service (DoS) condition.
The update also highlights vulnerabilities in Node.js versions that have reached EOL:
- CVE-2025-23087: Node.js v17.x or earlier
- CVE-2025-23088: Node.js v19.x
- CVE-2025-23089: Node.js v21.x
The updates have been released for the 23.x, 22.x, 20.x, and 18.x Node.js release lines. Users are urged to update their Node.js installations as soon as possible to mitigate these vulnerabilities.
