The Node.js project has issued urgent security updates after disclosing a high-severity vulnerability that could allow remote attackers to crash Node.js processes, potentially halting critical services and causing widespread denial of service across affected systems. The Node.js team also addressed other security issues in its latest releases, including a medium-severity HTTP header parsing flaw (CVE-2025-23167) and a low-severity memory leak bug (CVE-2025-23165), but CVE-2025-23166 remains the most urgent due to its potential for remote denial of service. According to the Node.js security advisory, the underlying issue lies in the C++ method SignTraits::DeriveBits(), which may incorrectly call ThrowException() based on user-supplied inputs while running in a background thread. This flaw enables an attacker to remotely trigger a crash in the Node.js process by exploiting cryptographic operations that frequently handle untrusted input. Because cryptographic operations are foundational to authentication, data protection, and secure communications, this vulnerability poses a significant risk to any Node.js application exposed to the internet. This vulnerability affects all active Node.js release lines, including versions 20.x, 22.x, 23.x, and 24.x. End-of-Life (EOL) versions are also impacted, but may not receive further updates, leaving them perpetually vulnerable unless upgraded. For detailed guidance and ongoing updates, users should refer to the official Node.js security policy and subscribe to security advisories through the Node.js-sec mailing list. The Node.js team emphasizes the importance of staying current with security releases, especially for production environments where uptime and reliability are paramount. The newly disclosed Node.js vulnerability (CVE-2025-23166) allows attackers to remotely crash Node.js processes, threatening the stability of services worldwide.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 09:29:54 +0000