A critical security vulnerability, identified as CVE-2025-23166, has been uncovered in various versions of Node.js, prompting the issuance of an urgent patch on May 14, 2025.
This flaw affects Node.js versions 20.x, 22.x, 23.x, and 24.x, allowing remote attackers to crash services, which can result in significant denial of service incidents. This vulnerability is linked to improper error handling in asynchronous cryptographic operations, related particularly to the C++ method SignTraits::DeriveBits().
Exploiting this flaw, adversaries can trigger crashes in the Node.js runtime by inputting malicious data during crypto operations. Such actions result in abrupt terminations of the Node.js process, raising critical concerns regarding service stability and reliability. This security issue is particularly concerning as it impacts all users in active release lines. Additionally, a high-severity vulnerability in asynchronous cryptographic operations was noted, emphasizing the urgency for users to implement the recommended patches.
The severity of this issue highlights an urgent need for patching, as failing to do so could lead to considerable service interruptions and increased downtime.
Additional vulnerabilities have likewise been identified, including CVE-2025-23167, a medium-severity vulnerability associated with the llhttp HTTP parser.
This issue, which affects Node.js 20.x prior to the llhttp v9 upgrade, arises from improper HTTP/1 header block termination. Such flaws may allow request smuggling attacks that circumvent access controls in proxy-based environments, necessitating immediate remediation through an upgrade to version 9.2.0 or higher.
Furthermore, CVE-2025-23087 sheds light on the systemic risks related to all end-of-life Node.js versions up to v17.9.1.
Using outdated and unsupported dependencies like OpenSSL v1 introduces additional threats, emphasizing the importance of migrating to actively supported releases or utilizing extended support services for legacy systems.
