CVE-2025-23166 Information

Description

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Reference

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases